Last Updated: 2022-06-25 09:50:40 UTC
by Xavier Mertens (Version: 1)
Another day, another malicious script was found! Today, the script is a Windows bat file that executes malicious PowerShell code but the way it works is interesting. The script has a VT score of 16/54 ( ). The script uses the Windows command-line tool "clip.exe" which is often unknown to people:
This tool helps to save the STDIN content in the clipboard. I checked the LOLBAS project page and did not find "clip.exe".
How does it work?
cmd / c echo "[Redacted_malicious_payload]" | clip.exe && powershell.exe "<code>"
The malicious code is saved into the clipboard and PowerShell fetches it by executing <code>. It contains:
The code is executed and the clipboard is cleared:
It's a nice technique to implement fileless malware!
Note: The malware family is Boxter.
Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant