{
  "name": "From Clipboard to Compromise: A PowerShell Self-Pwn",
  "slug": "from-clipboard-to-compromise-a-powershell-self-pwn",
  "description": "This intelligence report details a unique social engineering technique observed by Proofpoint researchers, leveraging users to copy and paste malicious PowerShell scripts to infect their computers. The threat actors TA571 and ClearFake activity cluster employ this method to deliver malware like DarkGate, Matanbuchus, NetSupport, and various information stealers. Despite requiring significant user interaction, the clever social engineering presents an apparent problem and solution simultaneously, prompting users to act without considering the risks.",
  "published": "2024-06-17T09:23:05+00:00",
  "created_at": "2024-06-17T09:23:05+00:00",
  "modified_at": "2024-06-17T09:38:15+00:00",
  "created_at_opencti": "2024-06-17T09:23:05+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2024-06-17",
    "amadey loader",
    "compromise",
    "darkgate",
    "jaskago",
    "lumma stealer",
    "malicious script",
    "malware",
    "matanbuchus",
    "netsupport",
    "powershell",
    "social engineering",
    "vidar stealer",
    "xmrig"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "91.222.173.113"
      },
      {
        "id": "",
        "name": "https://rtattack.baqebei1.online/df/tt"
      },
      {
        "id": "",
        "name": "https://oazevents.com/loader.html"
      },
      {
        "id": "",
        "name": "https://lashakhazhalia86dancer.com/c.txt"
      },
      {
        "id": "",
        "name": "https://kostumn1.ilabserver.com/1.zip"
      },
      {
        "id": "",
        "name": "https://cdn3535.shop/1.zip"
      },
      {
        "id": "",
        "name": "http://languangjob.com/pandstvx"
      },
      {
        "id": "",
        "name": "https://jenniferwelsh.com/header.png"
      },
      {
        "id": "",
        "name": "http://mylittlecabbage.net/xcdttafq"
      },
      {
        "id": "",
        "name": "http://mylittlecabbage.net/qhsddxna"
      },
      {
        "id": "",
        "name": "rechtsanwalt@ra-silberkuhl.com"
      },
      {
        "id": "",
        "name": "9701fec71e5bbec912f69c8ed63ffb6dba21b9cca7e67da5d60a72139c1795d1"
      },
      {
        "id": "",
        "name": "11909c0262563f29d28312baffb7ff027f113512c5a76bab7c5870f348ff778f"
      },
      {
        "id": "",
        "name": "07e0c15adc6fcf6096dd5b0b03c20145171c00afe14100468f18f01876457c80"
      }
    ],
    "malware": [
      {
        "id": "legacy:malware:3622f85bc741a893",
        "name": "JaskaGO",
        "slug": "jaskago"
      },
      {
        "id": "legacy:malware:dd369e6fb3bc8de4",
        "name": "Vidar Stealer",
        "slug": "vidar-stealer"
      },
      {
        "id": "legacy:malware:c92e49567d8a0ccb",
        "name": "Amadey Loader",
        "slug": "amadey-loader"
      },
      {
        "id": "330ad2d2-5ca7-4541-b7c7-d78d3a95ade0",
        "name": "Matanbuchus",
        "slug": "matanbuchus"
      },
      {
        "id": "0051da15-675b-4665-a6d1-872f64cf47ea",
        "name": "Lumma Stealer",
        "slug": "lumma-stealer"
      },
      {
        "id": "legacy:malware:05cd583aadd9b90a",
        "name": "DarkGate",
        "slug": "darkgate"
      },
      {
        "id": "legacy:malware:83adebc6ef4eb478",
        "name": "XMRig",
        "slug": "xmrig"
      },
      {
        "id": "legacy:malware:ded3e0a95823a24e",
        "name": "NetSupport",
        "slug": "netsupport"
      }
    ],
    "intrusion_sets": [
      {
        "id": "1973c445-3548-45ee-9b4a-d6de9c8fbd5a",
        "name": "TA571",
        "slug": "ta571"
      }
    ],
    "attack_patterns": [
      {
        "id": "d48e0c86-5636-49d2-ae09-3dd3dd081829",
        "name": "T1028"
      },
      {
        "id": "63567f6b-fd33-4e9f-b631-48dd6fd02c21",
        "name": "T1557.002"
      },
      {
        "id": "146a6f45-ec55-4d0e-a38c-1b614c3f72d2",
        "name": "T1193"
      },
      {
        "id": "40f0d8e3-bcd7-4b97-a958-f55815698fc5",
        "name": "T1053.005"
      },
      {
        "id": "32b33067-6566-4b8d-be80-e96f765d84de",
        "name": "T1059.001"
      },
      {
        "id": "f1bb7823-4f4b-4565-b472-bf0cfca467b1",
        "name": "T1486"
      },
      {
        "id": "cbd87c8c-3bed-461a-acef-56ffc8b87571",
        "name": "T1105"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      },
      {
        "id": "9b6064e6-a05b-4e95-baf5-34d180bc9221",
        "name": "T1059"
      }
    ]
  },
  "external_refs": [
    "https://www.proofpoint.com/us/blog/threat-insight/clipboard-compromise-powershell-self-pwn",
    "https://otx.alienvault.com/pulse/66701c99b54ffc9a9507ce00"
  ]
}