Phishing/Scam

Warning Against Phishing Emails Prompting Execution of Commands via Paste (CTRL+V)

  • May 23 2024
Warning Against Phishing Emails Prompting Execution of Commands via Paste (CTRL+V)

AhnLab SEcurity intelligence Center (ASEC) recently discovered that phishing files are being distributed via emails. The phishing files (HTML) attached to the emails prompt users to directly paste (CTRL+V) and run the commands.

The threat actor sent emails about fee processing, operation instruction reviews, etc. to prompt recipients to open the attachments. When a user opens the HTML file, a background and a message disguised as MS Word appear. The message tells the user to click the “How to fix” button to view the Word document offline.

Upon clicking “How to fix”, the file prompts the user to enter [Win+R] → [CTRL+V] → [Enter], or open the PowerShell terminal and manually input the command. Simultaneously, the malicious PowerShell command (see Figure 4) that is Base64-encoded by the JavaScript (see Figure 3) is decoded and saved into the user’s clipboard.

After going through the process explained above, the malicious PowerShell script is executed (see Figure 5).

The PowerShell command downloads an HTA file from C2 and executes it. Additionally, it blanks out the clipboard, seemingly to obscure the PowerShell command that has been executed. HTA executes the PowerShell command in C2, and Autoit3.exe inside the ZIP file uses the compiled malicious Autoit script (script.a3x) as an argument to be executed. The overall operation flow from the reception of the email to the infection is shown in Figure 6.

Ultimately, the DarkGate malware that starts with Autoit infects the system. Users must take extra caution when handling files from unknown sources, especially the URLs and attachments of emails.

File Detection
Phishing/HTML.ClipBoard.SC199655 (2024.05.21.03)
Downloader/VBS.Generic.SC199642 (2024.05.21.00)
Downloader/VBS.Generic.SC199656 (2024.05.21.03)
Downloader/HTA.DarkGate.SC199621 (2024.05.16.02)
Downloader/PowerShell.Generic (2024.05.21.00)
Downloader/PowerShell.Generic (2024.05.21.02)
Downloader/PowerShell.Generic (2024.05.21.03)
Trojan/AU3.Agent (2024.05.21.00)
Trojan/AU3.Agent (2024.05.21.03)
Trojan/AU3.Agent (2024.05.22.00)

Behavior Detection
Execution/MDP.Powershell.M2514

MD5

0b77babfa83bdb4443bb3c5f918545ae
30e2442555a4224bf15bbffae5e184ee
318f00b609039588ce5ace3bf1f8d05f
404bd47f17d482e139e64d0106b8888d
4b653886093a209c3d86cb43d507a53f
URL

http[:]//dogmupdate[.]com/rdyjyany
http[:]//dogmupdate[.]com/yoomzhda
http[:]//flexiblemaria[.]com/iinkqrwu
http[:]//flexiblemaria[.]com/umkglnks
http[:]//mylittlecabbage[.]net/qhsddxna

Gain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click the banner below.