A Trellix Advanced Research Center report details a sophisticated phishing/downloader campaign targeting Microsoft OneDrive users, steering victims to run a PowerShell script that compromises systems. The attack hinges on social engineering and fake DNS error prompts delivered via HTML, with malicious commands executed through a button-driven flow.
#OneDrive #pastejacking #PowerShell #AutoIt #Trellix #kostumn1_ilabserver_com
#OneDrive #pastejacking #PowerShell #AutoIt #Trellix #kostumn1_ilabserver_com
Keypoints
- The campaign targets Microsoft OneDrive users via phishing emails.
- Social engineering is used to create urgency and prompt action.
- Victims open an HTML file that displays an urgent error and prompts to follow instructions.
- The βHow to fixβ button triggers a JavaScript function that decodes and copies a malicious command to the clipboard.
- The copied command leads to ipconfig /flushdns, creates a downloads folder, downloads and extracts a payload, and executes it via AutoIt.
- Enterprise implications include potential widespread network compromise and financial losses; employee training is crucial for mitigation.
- IoCs include specific HTML attachment filenames, MD5 hashes of HTML samples and payloads, and a suspicious domain used for hosting components.
MITRE Techniques
- [T1566] Phishing β Social engineering to deceive users into clicking malicious links or attachments. βUse of social engineering tactics to deceive users into clicking malicious links or attachments.β
- [T1059] Command and Scripting Interpreter β Execution of PowerShell commands to download and execute malicious scripts. βExecution of PowerShell commands to download and execute malicious scripts.β
- [T1213] Data from Information Repositories β Exploitation of legitimate services (like OneDrive) to lure users into executing malicious commands. βExploitation of legitimate services (like OneDrive) to lure users into executing malicious commands.β
Indicators of Compromise
- [Email Attachment] context β clarify_27-May_202017.html, clarify_27-May_690357.html, and 1 more item
- [MD5 Hash] MD5 Hashes for known HTML samples β d6faa6bd1732517f260d94feb3cdbfc2, 1152103edc64ddee7ea4e07cd5dd78ae, and 18 more hashes
- [File/Directory] β c:downloads containing: st.zip, script.a3x
- [Domain] β kostumn1.ilabserver.com (obfuscated as hxxps) and related hosting domains
- [Detection Signature] Trellix ENS Detections signatures for the IoCs β HTML/Phishing.xl, AUTOIT/Agent.p, AutoIt/Agent.o, PS/Agent.jc
Read more: https://www.trellix.com/blogs/research/onedrive-pastejacking/