Beware Of Phishing Emails Prompting Execution Via Paste (CTRL+V)

Phishing attackers are distributing malicious HTML files as email attachments, containing code designed to exploit users by prompting them to directly paste and execute the code, which leverages social engineering, as users are tricked into running the malicious code themselves by pasting it into a vulnerable application. 

A phishing campaign uses social engineering tactics by employing email subjects that trigger a sense of urgency (e.g., fee processing, operation instruction reviews), containing malicious HTML attachments disguised as legitimate Microsoft Word documents.

Upon opening the attachment, the user is presented with a deceptive message visually resembling a Word document, which typically includes a button labeled “How to Fix” or similar, serving as the social engineering lure.

With ANYRUN You can Analyze any URL, Files & Email for Malicious Activity : Start your Analysis 

Clicking this button is the intended exploit vector, and it likely initiates malicious activities such as malware downloads or sensitive data exfiltration.

When the user clicks “How to Fix,”  a malicious JavaScript file is downloaded.

The file encodes a PowerShell command using Base64 and then instructs the user to either use a keyboard shortcut (Win+R, CTRL+V, Enter) or open PowerShell and run the command manually. 

Once the user follows these instructions, the JavaScript decodes the Base64-encoded command, places it in the clipboard, and executes the PowerShell command, potentially harming the user’s system. 

The malicious email attachment triggers a PowerShell script download from the Command and Control server (C2), which wipes the clipboard and executes another PowerShell command also retrieved from C2. 

The first PowerShell script downloads an HTA file before executing the second one, and an embedded Autoit executable within a ZIP file uses a compiled Autoit script to complete the infection chain. 

According to ASEC, DarkGate malware leverages AutoIt scripts to bypass detection and establish persistence, which is often obfuscated for further evasion, download, and execute the main payload. 

Due to DarkGate’s multi-stage infection process, traditional signature-based methods may fail.

Users should exercise caution when handling files from untrusted sources, particularly email attachments and URLs, to mitigate the risk of DarkGate infection. 

The system detected multiple threats, including phishing emails (HTML.ClipBoard.SC199655), malicious scripts (VBScript, PowerShell, HTA), trojans (AU3.Agent), and a potential execution of malicious PowerShell code (MDP.Powershell.M2514). 

Downloaded files (header.png, qhsddxna, script.a3x, dark.hta, rdyjyany, script.a3x, 1.hta, umkglnks) were retrieved from suspicious URLs (hxxps://jenniferwelsh[.]com, hxxp://mylittlecabbage[.]net, hxxps://linktoxic34[.]com, hxxp://dogmupdate[.]com, hxxps://www.rockcreekdds[.]com, hxxp://flexiblemaria[.]com), which indicate a potential phishing or malware attack.

Looking for Full Data Breach Protection? Try Cynet's All-in-One Cybersecurity Platform for MSPs: Try Free Demo