Source: Nico El Nino via Shutterstock
Threat actors are using fake browser updates and software fixes to trick users into cutting/copying and pasting PowerShell scripts loaded with various malware strains — including remote access Trojans (RATs) and infostealers — to infect their computers.
Researchers from Proofpoint observed the socially engineered technique employed by initial access broker tracked as TA571, as well as an unidentified actor in the last three months, starting as early as March 1, they revealed in a blog post published June 17.
There appear to be two methods of social engineering used in the activity — one that offers fake browser updates in yet another ClearFake campaign, and the other that delivers error messages related to Word, Google Chrome, and OneDrive dubbed "ClickFix" by the researchers. Malware delivered in the campaign includes the DarkGate and NetSupport RATs, the malware loader Matanbuchus, and various information stealers, including Lumma and Vidar.
"Whether the initial campaign begins via malspam or delivered via web browser injects, the technique is similar," Proofpoint researchers Tommy Madjar, Dusty Miller, Selena Larson, and the Proofpoint Threat Research Team explained in the post.
The campaigns show users are a pop-up textbox that suggests an error occurred when trying to open the document or webpage, and further instructions to copy and paste a malicious script into either the PowerShell terminal or the Windows Run dialog box to eventually execute the script via PowerShell, they said.
Attackers use "clever" and "authoritative" social engineering in the fake error messages delivered to users in the campaign, and also "provides both the problem and a solution so that a viewer may take prompt action without pausing to consider the risk," the researchers noted.
The activity reflects a trend among cybercriminals to adopt "increasingly creative attack chains" that ensure the success of campaigns that employ nested PowerShell and other technical tactics that are not easily detected by users, they said.
ClearFake for Malware Delivery
Proofpoint first observed the cut-and-paste technique with a ClearFake campaign in early April as well as "every other ClearFake campaign since then," the researchers noted. ClearFake is a previously identified fake browser update activity cluster that compromises legitimate websites with malicious HTML and JavaScript.
In the latest campaigns, when a user visited a compromised website, the injection caused the website to load a malicious script hosted on the blockchain via Binance’s Smart Chain contracts, using a technique known as EtherHiding. The initial script then loaded a second script from a domain to eventually present a fake warning warning instructing them to install a "root certificate" to view the website correctly.
The message included instructions to click a button to copy a PowerShell script and then provided steps on how to manually run this script on the victim's computer. If this is done, the user effectively executes the PowerShell by pasting it into the PowerShell command line interface window.Proofpoint observed at least five types of malware being delivered in this way, including the Lumma stealer, Amadey Loader, and JaskaGo.
ClickFix Baits With Error Messages
Proofpoint first began to observe what it calls the ClickFix campaign in mid-April when its researchers found compromised sites containing an inject leading to an iframe on pley[.]es displayed as an overlay error message. The messaged claimed that a faulty browser update needed to be fixed and asked the victim to open “Windows PowerShell (Admin)”–which will open an User Account Control (UAC) prompt–and then right-click to paste the code.
If users take the bait, PowerShell runs another remote PowerShell script that downloads and runs an executable, eventually leading to Vidar stealer. While the payload domain used in the PowerShell was taken offline just a few days after the researchers discovered the activity, the custom content of the iframe was replaced with the ClearFake injection that was still active earlier this month. The researchers remain unclear if the same actor is behind ClearFake and ClickFix, however.
TA571 Attribution
Proofpoint observed TA571 using cut-and-paste PowerShell against victims as early as March 1 in a campaign that included more than 100,000 messages and targeted thousands of organizations globally. The threat actor employed emails containing an HTML attachment that displayed a page resembling Microsoft Word as well as error message claiming that "the Word Online" extension is not installed.
The message presented users with two options to continue, either "how to fix" or "auto-fix," both of which led them down to malicious paths to install malware, including Matanbuchus or DarkGate, using PowerShell or DLL files.
TA571's use of similar attack chains throughout the spring using "various visual lures and varying between instructing the victim to either open the PowerShell terminal or using the Run dialog box" demonstrates a link between the actor and the ClickFix campaign, the researchers noted.
Mitigating Malware Compromise
Proofpoint included a list of indicators of compromise (IoCs) in recent campaigns, acknowledging that it is not an "exhaustive list" but merely a snapshot of websites, email addresses, and other processes related to the malicious activity that its researchers have observed.
Overall the attack chain requires "significant user interaction" to be successful, which means the most practical way for organizations to help avoid compromise on their network is employee awareness and training, the researchers noted.
"Organizations should train users to identify the activity and report suspicious activity to their security teams," the researchers wrote. "This is very specific training but can easily be integrated into an existing user training program."
