
OneDrive Pastejacking: The Sneaky Phishing and Downloader Campaign
OneDrive Pastejacking is a sneaky phishing and downloader campaign that targets users by injecting malicious commands during copy-paste operations. This attack deceives users into downloading harmful content to their systems. This type of attack exploits security vulnerabilities and can put your sensitive data at risk.
Indicators of Compromise
Domains (3)
clarify_27-May_202017.htmlclarify_27-May_690357.htmlClarify_15-june_586190.htmlHashes (35)
763d557c3e4c57f7d6132a444a930386d6faa6bd1732517f260d94feb3cdbfc22df579460a76631836d108578af4caa5ef082ddcbf5c94f1da1d2026d36b6b3fcf16271bfe826db5ef0c1a67433a619f1152103edc64ddee7ea4e07cd5dd78aeC56b5f0201a3b3de53e561fe76912bfddfa96717b69fa69d264a60b9de36f078beb8a50f67424c3b70cb56fc8833d2460852c3e7903dd3b1db6a6b232c33a25a04cdff477585cb0747ecd20052f03c2ecac3c4005f952293b38302199494759adeaf955bbf5d66db200e366ae3563eab328110e6c36cd70edac6bea395c40b18a1846e262d900f56f4a7d5f51100ec447133ae7dd452aa6469c85e236a59159ee0768bce522927eb89f74750e09f2a1c404bd47f17d482e139e64d0106b8888db183269587055f35cb23d2d33ff3f5fad524addd18d8014d72abb9dd172e782d+15 moreNotes
<span id="docs-internal-guid-f253d9ef-7fff-a7f2-52a2-c5c277ab9a3a"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">CONCLUSION</span></p><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">The OneDrive Pastejacking campaign showcases the advanced methods used by cybercriminals, who rely on social engineering to take advantage of users' trust and emotions. By tricking users into fixing a fake DNS error, the attackers manage to execute malicious payloads through harmless-looking PowerShell commands. This campaign underscores the necessity for ongoing alertness, comprehensive cybersecurity education, and stringent security measures within corporate settings. It's crucial for organizations to proactively educate their staff and fortify their defenses to reduce the threats posed by these sophisticated phishing and downloader attacks. The worldwide impact of this campaign emphasizes the need for global cooperation and intelligence sharing to effectively address these persistent cyber threats. For more information on this and other campaigns, visit the </span><a href="https://socradar.io/labs/campaigns/"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(17, 85, 204); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; text-decoration-line: underline; vertical-align: baseline;">SOCRadar Labs campaign page.</span></a></p><div><br></div></span>
Mitigation
<span id="docs-internal-guid-d5fcefb1-7fff-81b1-bfb6-57834c916443"><div style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Command and Scripting Interpreter: PowerShell</span></div><br><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Mitigations</span></p><div style="margin-left:0pt;" align="left"><table style="border:none;border-collapse:collapse;"><colgroup><col><col><col></colgroup><tbody><tr style="height:37.75pt;"><td style="border-left:solid #dfdfdf 0.6666667500000001pt;border-right:solid #dfdfdf 0.6666667500000001pt;border-bottom:solid #dee2e6 1.333335pt;border-top:solid #dfdfdf 0.6666667500000001pt;vertical-align:bottom;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;text-align: center;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: rgb(255, 255, 255); font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">ID</span></p></td><td style="border-left:solid #dfdfdf 0.6666667500000001pt;border-right:solid #dfdfdf 0.6666667500000001pt;border-bottom:solid #dee2e6 1.333335pt;border-top:solid #dfdfdf 0.6666667500000001pt;vertical-align:bottom;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;text-align: center;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: rgb(255, 255, 255); font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Mitigation</span></p></td><td style="border-left:solid #dfdfdf 0.6666667500000001pt;border-right:solid #dfdfdf 0.6666667500000001pt;border-bottom:solid #dee2e6 1.333335pt;border-top:solid #dfdfdf 0.6666667500000001pt;vertical-align:bottom;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;text-align: center;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 12pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: rgb(255, 255, 255); font-weight: 700; font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Description</span></p></td></tr><tr style="height:43pt;"><td style="border-left:solid #dfdfdf 0.6666667500000001pt;border-right:solid #dfdfdf 0.6666667500000001pt;border-bottom:solid #dfdfdf 0.6666667500000001pt;border-top:solid #dee2e6 1.333335pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1049"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">M1049</span></a></p></td><td style="border-left:solid #dfdfdf 0.6666667500000001pt;border-right:solid #dfdfdf 0.6666667500000001pt;border-bottom:solid #dfdfdf 0.6666667500000001pt;border-top:solid #dee2e6 1.333335pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1049"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Antivirus/Antimalware</span></a></p></td><td style="border-left:solid #dfdfdf 0.6666667500000001pt;border-right:solid #dfdfdf 0.6666667500000001pt;border-bottom:solid #dfdfdf 0.6666667500000001pt;border-top:solid #dee2e6 1.333335pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Anti-virus can be used to automatically quarantine suspicious files.</span></p></td></tr><tr style="height:43pt;"><td style="border-left:solid #dfdfdf 0.6666667500000001pt;border-right:solid #dfdfdf 0.6666667500000001pt;border-bottom:solid #dfdfdf 0.6666667500000001pt;border-top:solid #dfdfdf 0.6666667500000001pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1045"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">M1045</span></a></p></td><td style="border-left:solid #dfdfdf 0.6666667500000001pt;border-right:solid #dfdfdf 0.6666667500000001pt;border-bottom:solid #dfdfdf 0.6666667500000001pt;border-top:solid #dfdfdf 0.6666667500000001pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1045"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Code Signing</span></a></p></td><td style="border-left:solid #dfdfdf 0.6666667500000001pt;border-right:solid #dfdfdf 0.6666667500000001pt;border-bottom:solid #dfdfdf 0.6666667500000001pt;border-top:solid #dfdfdf 0.6666667500000001pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Set PowerShell execution policy to execute only signed scripts.</span></p></td></tr><tr style="height:97pt;"><td style="border-left:solid #dfdfdf 0.6666667500000001pt;border-right:solid #dfdfdf 0.6666667500000001pt;border-bottom:solid #dfdfdf 0.6666667500000001pt;border-top:solid #dfdfdf 0.6666667500000001pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1042"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">M1042</span></a></p></td><td style="border-left:solid #dfdfdf 0.6666667500000001pt;border-right:solid #dfdfdf 0.6666667500000001pt;border-bottom:solid #dfdfdf 0.6666667500000001pt;border-top:solid #dfdfdf 0.6666667500000001pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1042"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Disable or Remove Feature or Program</span></a></p></td><td style="border-left:solid #dfdfdf 0.6666667500000001pt;border-right:solid #dfdfdf 0.6666667500000001pt;border-bottom:solid #dfdfdf 0.6666667500000001pt;border-top:solid #dfdfdf 0.6666667500000001pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:12pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">It may be possible to remove PowerShell from systems when not needed, but a review should be performed to assess the impact to an environment, since it could be in use for many legitimate purposes and administrative functions.</span></p><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Disable/restrict the WinRM Service to help prevent uses of PowerShell for remote execution.</span></p></td></tr><tr style="height:70.75pt;"><td style="border-left:solid #dfdfdf 0.6666667500000001pt;border-right:solid #dfdfdf 0.6666667500000001pt;border-bottom:solid #dfdfdf 0.6666667500000001pt;border-top:solid #dfdfdf 0.6666667500000001pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1038"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">M1038</span></a></p></td><td style="border-left:solid #dfdfdf 0.6666667500000001pt;border-right:solid #dfdfdf 0.6666667500000001pt;border-bottom:solid #dfdfdf 0.6666667500000001pt;border-top:solid #dfdfdf 0.6666667500000001pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1038"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Execution Prevention</span></a></p></td><td style="border-left:solid #dfdfdf 0.6666667500000001pt;border-right:solid #dfdfdf 0.6666667500000001pt;border-bottom:solid #dfdfdf 0.6666667500000001pt;border-top:solid #dfdfdf 0.6666667500000001pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Use application control where appropriate. PowerShell Constrained Language mode can be used to restrict access to sensitive or otherwise dangerous language elements such as those used to execute arbitrary Windows APIs or files (e.g., </span><span style="font-size: 8.5pt; font-family: Arial, sans-serif; color: rgb(28, 34, 38); background-color: rgb(230, 230, 230); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Add-Type</span><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">).</span><a href="https://devblogs.microsoft.com/powershell/powershell-constrained-language-mode/"><span style="font-size: 7pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">[270]</span></a></p></td></tr><tr style="height:110.5pt;"><td style="border-left:solid #dfdfdf 0.6666667500000001pt;border-right:solid #dfdfdf 0.6666667500000001pt;border-bottom:solid #dfdfdf 0.6666667500000001pt;border-top:solid #dfdfdf 0.6666667500000001pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1026"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">M1026</span></a></p></td><td style="border-left:solid #dfdfdf 0.6666667500000001pt;border-right:solid #dfdfdf 0.6666667500000001pt;border-bottom:solid #dfdfdf 0.6666667500000001pt;border-top:solid #dfdfdf 0.6666667500000001pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><a href="https://attack.mitre.org/mitigations/M1026"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">Privileged Account Management</span></a></p></td><td style="border-left:solid #dfdfdf 0.6666667500000001pt;border-right:solid #dfdfdf 0.6666667500000001pt;border-bottom:solid #dfdfdf 0.6666667500000001pt;border-top:solid #dfdfdf 0.6666667500000001pt;vertical-align:top;background-color:#f2f2f2;padding:5pt 5pt 5pt 5pt;overflow:hidden;overflow-wrap:break-word;"><p style="line-height:1.38;margin-top:0pt;margin-bottom:12pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">When PowerShell is necessary, consider restricting PowerShell execution policy to administrators. Be aware that there are methods of bypassing the PowerShell execution policy, depending on environment configuration.</span><a href="https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/"><span style="font-size: 7pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">[271]</span></a></p><p style="line-height:1.38;margin-top:0pt;margin-bottom:0pt;"><span style="font-size: 10pt; font-family: Arial, sans-serif; color: rgb(33, 37, 41); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">PowerShell JEA (Just Enough Administration) may also be used to sandbox administration and limit what commands admins/users can execute through remote PowerShell sessions.</span><a href="https://learn.microsoft.com/powershell/scripting/learn/remoting/jea/overview?view=powershell-7.3"><span style="font-size: 7pt; font-family: Arial, sans-serif; color: rgb(79, 124, 172); background-color: rgb(255, 255, 255); font-variant-numeric: normal; font-variant-east-asian: normal; font-variant-alternates: normal; font-variant-position: normal; vertical-align: baseline;">[272]</span></a></p></td></tr></tbody></table></div></span>