Ctrl C + Ctrl V is an unsung hero to every programmer and sysadmin out there and an elementary and universal keyboard combination integrated into the core of every OS ecosystem.

I have used it as second nature, and you have too. Nothing to see here?

Or so it seems.

An oh-so-harmless sequence of Ctrl C + Ctrl V can now kick you out of control of your own machine.

How It Happens

Malicious sites have weaponized code boxes to carry out covert malware attacks on unsuspecting users who copy and paste the malicious code snippets into the terminal.

Picture this:

You copy a seemingly harmless command snippet like sudo apt-get update, which, naturally, should update your repositories.

Instead, what would be stored in your clipboard is malicious and auto-executing shell code, possibly even a beacon to be leveraged into some form of malware — RAT, ransomware, you name it.

The very moment you paste that snippet into your shell, it triggers a chain of commands (as per its design) and infects your system, potentially capable of even locking you out of it.

Some payloads go to the extent of obfuscating or hiding command output, so, you won't even be able to tell what hit you.

To sum it up in layman's, if you are not vigilant, you can now end up hacking yourself by copy-pasting commands.

Technique, Tactic, Procedure

The crux of this trap is masking the malicious code underneath a cloak of an absolutely regular-looking string of text.

A threat actor can orchestrate this attack in two prominent ways:

  1. Using JavaScript EventListener to manipulate the text you copy, as you copy it.
  2. Injecting a CSS layer to cloak the payload underneath a genuine-looking command.

With the JavaScript technique, an EventListner captures the event of the user copying the text and then replaces the data with malicious code.

With the second approach, JavaScript is not involved. The HTML and CSS style sheets of the code box are programmed such that an invisible cloak is created over the malicious code.

How to Avoid Getting Hacked

Although you can protect yourself to an extent by disabling JavaScript in your browser, there is no remedy to the CSS tactic. The best course of action is to always paste the command into a text editor in order to manually verify its integrity. There are a few terminal plugins that do the work of pasting commands into a read-only tab for you to check but still, it is wise not to risk it.

The awesome artwork used in this article was created by Mr Misang, in this picture you can see that many others tried to break through the wall and failed, but our mysterious protaganist is determined to break through for himself.