Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: SANS.edu Internet Storm Center - SANS Internet Storm Center SANS.edu Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

Malicious Code Passed to PowerShell via the Clipboard

Published: 2022-06-25
Last Updated: 2022-06-25 09:50:40 UTC
by Xavier Mertens (Version: 1)
0 comment(s)

Another day, another malicious script was found! Today, the script is a Windows bat file that executes malicious PowerShell code but the way it works is interesting. The script has a VT score of 16/54 ( )[1]. The script uses the Windows command-line tool "clip.exe" which is often unknown to people:

This tool helps to save the STDIN content in the clipboard. I checked the LOLBAS[2] project page and did not find "clip.exe".

How does it work?

cmd / c echo "[Redacted_malicious_payload]" | clip.exe && powershell.exe "<code>"

The malicious code is saved into the clipboard and PowerShell fetches it by executing <code>. It contains:

[System.Windows.Clipboard]::GetText.invoke()

The code is executed and the clipboard is cleared:

[System.Windows.Clipboard]::SetText.invoke()

It's a nice technique to implement fileless malware!

Note: The malware family is Boxter[3].

[1] https://www.virustotal.com/gui/file/294de23e4f510838c370ffff2b297fbd38f7da5171988dca091569389b262d6a/content
[2] https://lolbas-project.github.io
[3] https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/trojan.ps1.boxter.a

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Python (ab)using The Windows GUI
Jun 24th 2022
1 day ago by Xme (0 comments)

FLOSS 2.0 Has Been Released
Jun 23rd 2022
2 days ago by Xme (0 comments)

Malicious PowerShell Targeting Cryptocurrency Browser Extensions
Jun 22nd 2022
3 days ago by Xme (0 comments)

Experimental New Domain / Domain Age API
Jun 21st 2022
3 days ago by Johannes (0 comments)

Odd TCP Fast Open Packets. Anybody understands why?
Jun 20th 2022
4 days ago by Johannes (0 comments)

Video: Decoding Obfuscated BASE64 Statistically
Jun 19th 2022
5 days ago by DidierStevens (0 comments)

Wireshark 3.6.6 Released
Jun 19th 2022
5 days ago by DidierStevens (0 comments)

Decoding Obfuscated BASE64 Statistically
Jun 18th 2022
1 week ago by DidierStevens (0 comments)

View All Diaries →

Latest Discussions

Dshield Sensor
created Jun 8th 2021
1 year ago by Rick (0 replies)

API port data
created Apr 25th 2021
1 year ago by JJ (1 reply)

RSS feed containing non-XML compatible characters
created Apr 14th 2021
1 year ago by Anonymous (1 reply)

Handler's Diary (Full text) RSS Feeds stopt working due to a typo
created Mar 5th 2021
1 year ago by bas.auer@auerplace.nl (0 replies)

port_scan issue in Snort3
created Feb 23rd 2021
1 year ago by astraea (0 replies)

View All Forums →

Latest News

Top Diaries

Mixed VBA & Excel4 Macro In a Targeted Excel Sheet
Jan 22nd 2022
5 months ago by Xme (0 comments)

A Quick CVE-2022-21907 FAQ
Jan 14th 2022
5 months ago by Johannes (0 comments)

Method For String Extraction Filtering
Apr 9th 2022
2 months ago by DidierStevens (0 comments)

CinaRAT Delivered Through HTML ID Attributes
Feb 11th 2022
4 months ago by Xme (0 comments)

Obscure Wininet.dll Feature?
Jan 21st 2022
5 months ago by Xme (0 comments)