Understanding This Windows Verification Exploit

Time To Read: 8 minutes

Target Technical Level: Low OS: Windows Someone sent me this image that they encountered on

Reddit, it looks like a normal Windows Verification

dialogue (popup). Let's will break down what is happening: The hook: "Complete these verification steps use keyboard To prove you are not robot" — We are bombarded by these every day, other than a few grammar issues, nothing too nefarious yet.

The trigger: "Press & hold the Win key + R" — This is where alarm bells should sound off for some of us, we'll explain why:

The Windows Key [⊞ Win] on the bottom left of your keyboard is a really powerful button when used in combination with other keys.

The Windows Key [⊞ Win] + R (Hold the windows key and press the R key) opens the Run Dialogue, this gives you fast access to all sorts of useful tools that allow you to control your computer.

The Control Key [ctrl] or [Control] is another powerful key for combinations and is also on the bottom left and bottom right of your keyboard, both keys (if you have them) do the same thing.

[ctrl] + C - will copy whatever you have highlighted or selected and load it into an invisible clipboard on the system

[ctrl] + V - will paste whatever is loaded into your clipboard, to the input box you have selected. Sometimes the selection will be made for you by the software you are using.

The Enter Key [↲ Enter] is underneath the Backspace Key [← backspace]. It is based off of the Carriage Return Key [↲] on typewriters.

1. Try clicking anywhere on the page.

2. Now try holding [⊞ Win] and tap the R key.

   1. The Run Dialogue should have popped up, and you should notice the blinking cursor in the text box, that shows that it was automatically selected for you.

3. Now try holding [ctrl] and tap the V key.

   1. If the script I hid on the page worked, you should see the code below, if you don't, hold your left mouse button down starting at the 'p' in 'powershell' and while holding the left mouse button, drag it to the " at the end of "your head.\)" " and hold [ctrl] and tap the C key:

      
      

      1. powershell -c "Add-Type -AssemblyName System.Speech;(New-Object System.Speech.Synthesis.SpeechSynthesizer).Speak(\'I have a lovely bunch of coconuts, there they are standing in a row, big ones, small ones, some as big as your head.\')"

         
         

   2. This code will get your computer to sing to you, but it should also show the impact of what is possible.

4. Now tap on [↲ Enter]

This has been a very harmless exercise, but any time we use the Run Dialogue, we can do a lot of damage to a computer. In this instance, powershell commands can let you do a lot of things on a Windows machine, but there are much scarier things you can do with the Run Dialogue.

So any time you see something that pops up and tells you to hold the [⊞ Win] and tap the R key, do whichever you are more comfortable with:

1. Close the page.

2. Paste the payload into a word document, save it as payload.txt and copy down the website name. Report it here: https://www.cyber.gc.ca/en/incident-management/report-cyber-incident-individuals

   1. Give them the site name and when they let you attach something, attach the payload.txt file

   2. Fill out the rest of the report.

   3. When you have finished and sent the report in, delete the payload.txt file.

3. If you already fell for this scam, please disconnect your computer and bring it an IT specialist you trust, have them enter the code below to get the logs of what was recently run and hopefully, we they can reverse the damage.

powershell -c "(Get-ItemProperty 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU').PSObject.Properties | Where-Object {$_.Name -match '^[a-z]$'} | ForEach-Object {$_.Value}; pause"

Citations

Unicode Icons: https://www.unicode.org/charts/

Powershell Speech Synthesis: https://learn.microsoft.com/en-us/dotnet/api/system.speech.synthesis.speechsynthesizer.speak?view=net-10.0-pp