From Clipboard to Compromise: A PowerShell Self-Pwn

MITRE Techniques

• [T1566.001] Phishing – Spearphishing via Email Attachment – The TA571 campaigns used HTML attachments that displayed a faux Word page and included instructions to copy/paste PowerShell to install malware. “HTML attachment containing instructions on how to copy and paste PowerShell that leads to the installation of malware.”
• [T1059.001] PowerShell – Command and Scripting Interpreter – The threat chain relies on PowerShell execution, with users instructed to open PowerShell and paste code from the clipboard. “open a PowerShell terminal and right-click to paste the console window.”
• [T1115] Clipboard Data – Clipboard Hijacking – The malicious content is copied to the clipboard via browser-side JavaScript, and a base64-encoded PowerShell command is copied to the clipboard. “copied a base64-encoded PowerShell command to the computer’s clipboard.”
• [T1105] Ingress Tool Transfer – Downloading additional payloads over the network – The second PowerShell script downloads yet another PowerShell script and a remote payload. “The second PowerShell script was essentially used to download yet another PowerShell script.” and “download a remote PowerShell script and execute it in-memory.”
• [T1574.001] Hijack Execution Flow: DLL Side-Loading – Bundling legitimate signed executables in a ZIP to side-load a trojanized DLL (DOILoader) to load Lumma Stealer. “bundled various legitimate, signed executables that side-loaded a trojanized DLL.”
• [T1027] Obfuscated/Compressed Files and Information – AES-encrypted PowerShell scripts and payloads used in the chain. “AES-encrypted PowerShell script” and the extraction of data.zip to execute files.
• [T1036] Masquerading – The use of fake warnings/updates and legitimate-looking overlays to trick users into running malicious code. “fake browser update” overlays and warnings that appear authoritative.