Windows PowerShell Phish Uses Fake CAPTCHA, Downloads Credential Stealer (krebsonsecurity.com) 10
"Many GitHub users this week received a novel phishing email warning of critical security holes in their code," reports Krebs on Security — citing an email shared by one of his readers:
"Hey there! We have detected a security vulnerability in your repository. Please contact us at https://github-scanner[.]com to get more information on how to fix this issue...." Clicking the "I'm not a robot" button generates a pop-up message asking the user to take three sequential steps to prove their humanity. Step 1 involves simultaneously pressing the keyboard key with the Windows icon and the letter "R," which opens a Windows "Run" prompt that will execute any specified program that is already installed on the system.
Step 2 asks the user to press the "CTRL" key and the letter "V" at the same time, which pastes malicious code from the site's virtual clipboard. Step 3 — pressing the "Enter" key — causes Windows to launch a PowerShell command, and then fetch and execute a malicious file from github-scanner[.]com called "l6e.exe...." According to an analysis at the malware scanning service Virustotal.com, the malicious file downloaded by the pasted text is called Lumma Stealer, and it's designed to snarf any credentials stored on the victim's PC.
Even though this might fool some users, Krebs points out that Microsoft "strongly advises against nixing PowerShell because some core system processes and tasks may not function properly without it. What's more, doing so requires tinkering with sensitive settings in the Windows registry..."
Thanks to long-time Slashdot reader sinij for sharing the article.
Step 2 asks the user to press the "CTRL" key and the letter "V" at the same time, which pastes malicious code from the site's virtual clipboard. Step 3 — pressing the "Enter" key — causes Windows to launch a PowerShell command, and then fetch and execute a malicious file from github-scanner[.]com called "l6e.exe...." According to an analysis at the malware scanning service Virustotal.com, the malicious file downloaded by the pasted text is called Lumma Stealer, and it's designed to snarf any credentials stored on the victim's PC.
Even though this might fool some users, Krebs points out that Microsoft "strongly advises against nixing PowerShell because some core system processes and tasks may not function properly without it. What's more, doing so requires tinkering with sensitive settings in the Windows registry..."
Thanks to long-time Slashdot reader sinij for sharing the article.
This is daft (Score:3)
OMG. Here user, here's the instructions to let me hack your computer.
Re: (Score:2)
Being clueless comes with increased risk in life. This applies to small and big things.
PowerShell for Linux (Score:2)
If you're not smart enough to recognize an 'execute' command, you're not smart enough to own a GitHub account.
With the Linux UI now being Windows-like, does this work (assuming PowerShell for Linux is installed)?
Probably works well on the average Windows "dev" (Score:3)
These people are not very smart, after all. That apparently some want to remove PowerShell as a "countermeasure" just makes this even more obvious.
Idiots (Score:3)
Why was removing PowerShell even suggested? Why not just give instructions to remove the web browser and the email client? Problem solved!
Re: Idiots (Score:2)
Have you tried to uninstall Edge lately ?
This is a big flaw in many OSes (Score:2)
Android, iOS, ChromeOS and even macOS got this right by providing cryptographically immutable base systems with the majority of running processes forbidden from touching users private data by default. Executing malware on these systems is no
Re: (Score:2)
Every system should have implemented mandatory access controls to mitigate this type of thing by now.
It's not about access control. Both Windows and Linux try to separate administrative access from user access and for those who know the difference and how to use them, they pretty much work. But you gotta realize that a user must have access to their local directory, should be able to download files, and be able to execute them. If you don't allow them to do that, then you're not going to be considered a "user-friendly" O/S.
It shouldn't be that easy to get at the private data of end users without them knowing what application is requesting access, and them directly approving said access.
If a user is dumb enough to follow instructions as introduced by this hack, they