Paul MelsonJun 13, 2023
Last week I caught a wave of PowerShell one-liners that decode a base64 script and pipe it to 'iex' (aka Invoke-Expression)
p4ybackJun 20, 2023
Show threadPaul Melson
PowerShell deobfuscation 101, replace Invoke-Expression with Write-Host, and read the output. The decoded script downloads a file from Discord's CDN. It then runs a search.replace for 'WH_HERE' and replaces it with the attacker's Discord webhook URL, them executes the script.
Jun 13, 2023 at 11:09amWeb
Show threadPaul MelsonJun 13, 2023

Here is the downloaded script. It's somewhat involved, but the summary is that it's a browser credential stealer that zips all of its output and exfiltrates the zip file to the attacker's Discord webhook.
Network IOCs in order:
https://cdn.discordapp[.]com
http://ipconfig[.]me
https://discord[.]com

https://www.virustotal.com/gui/file/87a59357f83b04a6e213c125822d7bf2907b61128464b25d6815f3fa65e8c25e/details

VirusTotal

VirusTotal