My next class:
Reverse-Engineering Malware: Advanced Code AnalysisOnline | Greenwich Mean TimeOct 28th - Nov 1st 2024

Malicious Code Passed to PowerShell via the Clipboard

Published: 2022-06-25. Last Updated: 2022-06-25 09:50:40 UTC
by Xavier Mertens (Version: 1)
3 comment(s)

Another day, another malicious script was found! Today, the script is a Windows bat file that executes malicious PowerShell code but the way it works is interesting. The script has a VT score of 16/54 ( )[1]. The script uses the Windows command-line tool "clip.exe" which is often unknown to people:

This tool helps to save the STDIN content in the clipboard. I checked the LOLBAS[2] project page and did not find "clip.exe".

How does it work?

cmd / c echo "[Redacted_malicious_payload]" | clip.exe && powershell.exe "<code>"

The malicious code is saved into the clipboard and PowerShell fetches it by executing <code>. It contains:

[System.Windows.Clipboard]::GetText.invoke()

The code is executed and the clipboard is cleared:

[System.Windows.Clipboard]::SetText.invoke()

It's a nice technique to implement fileless malware!

Note: The malware family is Boxter[3].

[1] https://www.virustotal.com/gui/file/294de23e4f510838c370ffff2b297fbd38f7da5171988dca091569389b262d6a/content
[2] https://lolbas-project.github.io
[3] https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/trojan.ps1.boxter.a

Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

3 comment(s)
My next class:
Reverse-Engineering Malware: Advanced Code AnalysisOnline | Greenwich Mean TimeOct 28th - Nov 1st 2024

Comments

Not really fileless if it runs from a batch file, is it?
And the clip.exe works in the (formerly DOS) Command Prompt, so useful for both for pasting results of a thing into an email or docs.

I look and see that we have at least two instances of clip.exe to watch for their execution, System32, SysWOW64 and some in WinSxS
Any thoughts on how often `clip.exe` is used normally? Double-invocation of `clip.exe` is not required since the malicious PowerShell can run `Set-Clipboard` to clear the clipboard.

Diary Archives