Saturday, June 15, 2024

Beware Of Phishing Emails Prompting Execution Via Paste (CTRL+V)

Phishing attackers are distributing malicious HTML files as email attachments, containing code designed to exploit users by prompting them to directly paste and execute the code, which leverages social engineering, as users are tricked into running the malicious code themselves by pasting it into a vulnerable application. 

A phishing campaign uses social engineering tactics by employing email subjects that trigger a sense of urgency (e.g., fee processing, operation instruction reviews), containing malicious HTML attachments disguised as legitimate Microsoft Word documents.

Phishing emails

Upon opening the attachment, the user is presented with a deceptive message visually resembling a Word document, which typically includes a button labeled “How to Fix” or similar, serving as the social engineering lure.

With ANYRUN You can Analyze any URL, Files & Email for Malicious Activity : Start your Analysis 

Clicking this button is the intended exploit vector, and it likely initiates malicious activities such as malware downloads or sensitive data exfiltration.

When the user clicks “How to Fix,”  a malicious JavaScript file is downloaded.

The file encodes a PowerShell command using Base64 and then instructs the user to either use a keyboard shortcut (Win+R, CTRL+V, Enter) or open PowerShell and run the command manually. 

Saving the malicious PowerShell command into the user’s clipboard

Once the user follows these instructions, the JavaScript decodes the Base64-encoded command, places it in the clipboard, and executes the PowerShell command, potentially harming the user’s system. 

The malicious email attachment triggers a PowerShell script download from the Command and Control server (C2), which wipes the clipboard and executes another PowerShell command also retrieved from C2. 

The first PowerShell script downloads an HTA file before executing the second one, and an embedded Autoit executable within a ZIP file uses a compiled Autoit script to complete the infection chain. 

Overall flow

According to ASEC, DarkGate malware leverages AutoIt scripts to bypass detection and establish persistence, which is often obfuscated for further evasion, download, and execute the main payload. 

Due to DarkGate’s multi-stage infection process, traditional signature-based methods may fail.

Users should exercise caution when handling files from untrusted sources, particularly email attachments and URLs, to mitigate the risk of DarkGate infection. 

The system detected multiple threats, including phishing emails (HTML.ClipBoard.SC199655), malicious scripts (VBScript, PowerShell, HTA), trojans (AU3.Agent), and a potential execution of malicious PowerShell code (MDP.Powershell.M2514). 

Downloaded files (header.png, qhsddxna, script.a3x, dark.hta, rdyjyany, script.a3x, 1.hta, umkglnks) were retrieved from suspicious URLs (hxxps://jenniferwelsh[.]com, hxxp://mylittlecabbage[.]net, hxxps://linktoxic34[.]com, hxxp://dogmupdate[.]com, hxxps://www.rockcreekdds[.]com, hxxp://flexiblemaria[.]com), which indicate a potential phishing or malware attack.

Looking for Full Data Breach Protection? Try Cynet's All-in-One Cybersecurity Platform for MSPs: Try Free Demo 


Latest articles

Sleepy Pickle Exploit Let Attackers Exploit ML Models And Attack End-Users

Hackers are targeting, attacking, and exploiting ML models. They want to hack into these...

SolarWinds Serv-U Vulnerability Let Attackers Access sensitive files

SolarWinds released a security advisory for addressing a Directory Traversal vulnerability which allows a...

Smishing Triad Hackers Attacking Online Banking, E-Commerce AND Payment Systems Customers

Hackers often attack online banking platforms, e-commerce portals, and payment systems for illicit purposes.Resecurity...

Threat Actor Claiming Leak Of 5 Million Ecuador’s Citizen Database

A threat actor has claimed responsibility for leaking the personal data of 5 million...

Ascension Hack Caused By an Employee Who Downloaded a Malicious File

Ascension, a leading healthcare provider, has made significant strides in its investigation and recovery...

AWS Announced Malware Detection Tool For S3 Buckets

Amazon Web Services (AWS) has announced the general availability of Amazon GuardDuty Malware Protection...

Hackers Exploiting MS Office Editor Vulnerability to Deploy Keylogger

Researchers have identified a sophisticated cyberattack orchestrated by the notorious Kimsuky threat group.The...

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles