Thursday, December 5, 2024
HomeCyber Security NewsBeware Of Phishing Emails Prompting Execution Via Paste (CTRL+V)

Beware Of Phishing Emails Prompting Execution Via Paste (CTRL+V)

Published on

SIEM as a Service

Phishing attackers are distributing malicious HTML files as email attachments, containing code designed to exploit users by prompting them to directly paste and execute the code, which leverages social engineering, as users are tricked into running the malicious code themselves by pasting it into a vulnerable application. 

A phishing campaign uses social engineering tactics by employing email subjects that trigger a sense of urgency (e.g., fee processing, operation instruction reviews), containing malicious HTML attachments disguised as legitimate Microsoft Word documents.

Phishing emails

Upon opening the attachment, the user is presented with a deceptive message visually resembling a Word document, which typically includes a button labeled “How to Fix” or similar, serving as the social engineering lure.

- Advertisement - SIEM as a Service

With ANYRUN You can Analyze any URL, Files & Email for Malicious Activity : Start your Analysis 

Clicking this button is the intended exploit vector, and it likely initiates malicious activities such as malware downloads or sensitive data exfiltration.

When the user clicks “How to Fix,”  a malicious JavaScript file is downloaded.

The file encodes a PowerShell command using Base64 and then instructs the user to either use a keyboard shortcut (Win+R, CTRL+V, Enter) or open PowerShell and run the command manually. 

Saving the malicious PowerShell command into the user’s clipboard

Once the user follows these instructions, the JavaScript decodes the Base64-encoded command, places it in the clipboard, and executes the PowerShell command, potentially harming the user’s system. 

The malicious email attachment triggers a PowerShell script download from the Command and Control server (C2), which wipes the clipboard and executes another PowerShell command also retrieved from C2. 

The first PowerShell script downloads an HTA file before executing the second one, and an embedded Autoit executable within a ZIP file uses a compiled Autoit script to complete the infection chain. 

Overall flow

According to ASEC, DarkGate malware leverages AutoIt scripts to bypass detection and establish persistence, which is often obfuscated for further evasion, download, and execute the main payload. 

Due to DarkGate’s multi-stage infection process, traditional signature-based methods may fail.

Users should exercise caution when handling files from untrusted sources, particularly email attachments and URLs, to mitigate the risk of DarkGate infection. 

The system detected multiple threats, including phishing emails (HTML.ClipBoard.SC199655), malicious scripts (VBScript, PowerShell, HTA), trojans (AU3.Agent), and a potential execution of malicious PowerShell code (MDP.Powershell.M2514). 

Downloaded files (header.png, qhsddxna, script.a3x, dark.hta, rdyjyany, script.a3x, 1.hta, umkglnks) were retrieved from suspicious URLs (hxxps://jenniferwelsh[.]com, hxxp://mylittlecabbage[.]net, hxxps://linktoxic34[.]com, hxxp://dogmupdate[.]com, hxxps://www.rockcreekdds[.]com, hxxp://flexiblemaria[.]com), which indicate a potential phishing or malware attack.

Looking for Full Data Breach Protection? Try Cynet's All-in-One Cybersecurity Platform for MSPs: Try Free Demo 

Latest articles

HCL DevOps Deploy / Launch Vulnerability Let Embed arbitrary HTML tags

Recently identified by security researchers, a new vulnerability in HCL DevOps Deploy and HCL...

CISA Warns of Zyxel Firewalls, CyberPanel, North Grid, & ProjectSend Flaws Exploited in Wild

The Cybersecurity and Infrastructure Security Agency (CISA) has issued warnings about several vulnerabilities being...

HackSynth : Autonomous Pentesting Framework For Simulating Cyberattacks

HackSynth is an autonomous penetration testing agent that leverages Large Language Models (LLMs) to...

Fuji Electric Indonesia Hit by Ransomware Attack

Fuji Electric Indonesia has fallen victim to a ransomware attack, impacting its operations and...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

HCL DevOps Deploy / Launch Vulnerability Let Embed arbitrary HTML tags

Recently identified by security researchers, a new vulnerability in HCL DevOps Deploy and HCL...

CISA Warns of Zyxel Firewalls, CyberPanel, North Grid, & ProjectSend Flaws Exploited in Wild

The Cybersecurity and Infrastructure Security Agency (CISA) has issued warnings about several vulnerabilities being...

HackSynth : Autonomous Pentesting Framework For Simulating Cyberattacks

HackSynth is an autonomous penetration testing agent that leverages Large Language Models (LLMs) to...