Beware Of Phishing Emails Prompting Execution Via Paste (CTRL+V)

Phishing attackers are distributing malicious HTML files as email attachments, containing code designed to exploit users by prompting them to directly paste and execute the code, which leverages social engineering, as users are tricked into running the malicious code themselves by pasting it into a vulnerable application. 

A phishing campaign uses social engineering tactics by employing email subjects that trigger a sense of urgency (e.g., fee processing, operation instruction reviews), containing malicious HTML attachments disguised as legitimate Microsoft Word documents.

Phishing emails

Upon opening the attachment, the user is presented with a deceptive message visually resembling a Word document, which typically includes a button labeled “How to Fix” or similar, serving as the social engineering lure.

With ANYRUN You can Analyze any URL, Files & Email for Malicious Activity : Start your Analysis 

Clicking this button is the intended exploit vector, and it likely initiates malicious activities such as malware downloads or sensitive data exfiltration.

When the user clicks “How to Fix,”  a malicious JavaScript file is downloaded.

The file encodes a PowerShell command using Base64 and then instructs the user to either use a keyboard shortcut (Win+R, CTRL+V, Enter) or open PowerShell and run the command manually. 

Saving the malicious PowerShell command into the user’s clipboard

Once the user follows these instructions, the JavaScript decodes the Base64-encoded command, places it in the clipboard, and executes the PowerShell command, potentially harming the user’s system. 

The malicious email attachment triggers a PowerShell script download from the Command and Control server (C2), which wipes the clipboard and executes another PowerShell command also retrieved from C2. 

The first PowerShell script downloads an HTA file before executing the second one, and an embedded Autoit executable within a ZIP file uses a compiled Autoit script to complete the infection chain. 

Overall flow

According to ASEC, DarkGate malware leverages AutoIt scripts to bypass detection and establish persistence, which is often obfuscated for further evasion, download, and execute the main payload. 

Due to DarkGate’s multi-stage infection process, traditional signature-based methods may fail.

Users should exercise caution when handling files from untrusted sources, particularly email attachments and URLs, to mitigate the risk of DarkGate infection. 

The system detected multiple threats, including phishing emails (HTML.ClipBoard.SC199655), malicious scripts (VBScript, PowerShell, HTA), trojans (AU3.Agent), and a potential execution of malicious PowerShell code (MDP.Powershell.M2514). 

Downloaded files (header.png, qhsddxna, script.a3x, dark.hta, rdyjyany, script.a3x, 1.hta, umkglnks) were retrieved from suspicious URLs (hxxps://jenniferwelsh[.]com, hxxp://mylittlecabbage[.]net, hxxps://linktoxic34[.]com, hxxp://dogmupdate[.]com, hxxps://www.rockcreekdds[.]com, hxxp://flexiblemaria[.]com), which indicate a potential phishing or malware attack.

Looking for Full Data Breach Protection? Try Cynet's All-in-One Cybersecurity Platform for MSPs: Try Free Demo 

Sneka

Recent Posts

Threat Actors Exploit Google Docs And Weebly Services For Malware Attacks

Phishing attackers used Google Docs to deliver malicious links, bypassing security measures and redirecting victims…

6 hours ago

Python NodeStealer: Targeting Facebook Business Accounts to Harvest Login Credentials

The Python-based NodeStealer, a sophisticated info-stealer, has evolved to target new information and employ advanced…

6 hours ago

XSS Vulnerability in Bing.com Let Attackers Send Crafted Malicious Requests

A significant XSS vulnerability was recently uncovered in Microsoft’s Bing.com, potentially allowing attackers to execute…

9 hours ago

Meta Removed 2 Million Account Linked to Malicious Activities

 Meta has announced the removal of over 2 million accounts connected to malicious activities, including…

12 hours ago

Veritas Enterprise Vault Vulnerabilities Lets Attackers Execute Arbitrary Code Remotely

Critical security vulnerability has been identified in Veritas Enterprise Vault, a widely-used archiving and content…

13 hours ago

7-Zip RCE Vulnerability Let Attackers Execute Remote Code

A critical security vulnerability has been disclosed in the popular file archiving tool 7-Zip, allowing…

13 hours ago