New ClickFix Attack Abuses Nslookup to Retrieve PowerShell Payload Via DNS

upstart writes:

New ClickFix attack abuses nslookup to retrieve PowerShell payload via DNS:

Threat actors are now abusing DNS queries as part of ClickFix social engineering attacks to deliver malware, making this the first known use of DNS as a channel in these campaigns.

ClickFix attacks typically trick users into manually executing malicious commands under the guise of fixing errors, installing updates, or enabling functionality.

However, this new variant uses a novel technique in which an attacker-controlled DNS server delivers the second-stage payload via DNS lookups.

In a new ClickFix campaign seen by Microsoft, victims are instructed to run the nslookup command that queries an attacker-controlled DNS server instead of the system's default DNS server.

The command returns a query containing a malicious PowerShell script that is then executed on the device to install malware.

"Microsoft Defender researchers observed attackers using yet another evasion approach to the ClickFix technique: Asking targets to run a command that executes a custom DNS lookup and parses the Name: response to receive the next-stage payload for execution," reads an X post from Microsoft Threat Intelligence.

While it is unclear what the lure is to trick users into running the command, Microsoft says the ClickFix attack instructs users to run the command in the Windows Run dialog box.

This command will issue a DNS lookup for the hostname "example.com" against the threat actor's DNS server at 84[.]21.189[.]20 and then execute the resulting response via the Windows command interpreter (cmd.exe).

This DNS response returns a "NAME:" field that contains the second PowerShell payload that is executed on the device.

Read more of this story at SoylentNews.