Microsoft recently revealed details about a new version of the ClickFix social engineering tactic, where attackers deceive users into running commands that conduct a Domain Name System (DNS) lookup to fetch the next-stage payload.
This attack method involves using the “nslookup” command to perform a custom DNS lookup triggered through the Windows Run dialog.
ClickFix has gained popularity and typically arrives through phishing or malvertising, redirecting victims to fake landing pages with instructions to run commands via the Windows Run dialog or macOS Terminal app.
The attackers rely on victims infecting their own machines with malware, allowing them to bypass security controls. ClickFix has evolved into variants like FileFix, JackFix, ConsentFix, CrashFix, and GlitchFix.
In this latest DNS-based staging using ClickFix, the initial command runs through cmd.exe to perform a DNS lookup against an external DNS server. The extracted DNS response is executed as the second-stage payload.
Microsoft described this new ClickFix variation as using DNS as a “lightweight staging or signaling channel” to enable the threat actors to establish control over their infrastructure and add a new validation layer before executing the second-stage payload.
Using DNS in this way reduces reliance on traditional web requests and helps blend malicious activity into normal network traffic.
The downloaded payload triggers an attack chain leading to the download of a ZIP archive from an external server, extracting a malicious Python script that performs reconnaissance, runs discovery commands, and drops a Visual Basic Script (VBScript) to launch ModeloRAT, a Python-based remote access trojan previously distributed through CrashFix.
To maintain persistence, a Windows shortcut (LNK) file pointing to the VBScript is created in the Windows Startup folder, ensuring the malware runs automatically on system startup.
As Bitdefender warned of increased Lumma Stealer activity, driven by ClickFix-style fake CAPTCHA campaigns deploying CastleLoader, other campaigns have leveraged websites offering cracked software downloads to distribute Lumma Stealer through various loaders.
These developments coincide with multiple campaigns using social engineering lures, including ClickFix, to deliver various stealers and malware loaders targeting different platforms.
A recent analysis by Flare found that threat actors are increasingly targeting Apple macOS with infostealers and sophisticated tools, with a specific focus on cryptocurrency theft.
Organizations with Mac users need detection capabilities for macOS-specific tactics to combat the evolving threat landscape.
