Hackers deploy new clever tactics: apply a fix – get malware

Cybercriminals are using a new clever “copy-paste” technique to trick their victims. A fake error message on the Chrome browser appears and provides simple instructions “to install root certificate,” but instead leads to the installation of infostealers or other malware.

A unique social engineering campaign is becoming increasingly popular, in which hackers make users self-sabotage their own systems, Proofpoint researchers identified.

A compromised email or website delivers an error message, requiring users to apply a fix by copying and pasting it into a Windows PowerShell terminal. In reality, users run malicious scripts which infect their computers with malware.

“Users are shown a popup textbox that suggests an error occurred when trying to open a document or webpage, and instructions are provided to copy and paste a malicious script into the PowerShell terminal or the Windows Run dialog box to eventually run the script via PowerShell,” researchers explain in more detail.

They observed the threat actor labeled TA571 and others delivering malware such as DarkGate, Matanbuchus, NetSupport, and various information stealers. The campaign usually begins via spam attacks or web browser injects.

“Although the attack chain requires significant user interaction to be successful, the social engineering is clever enough to present someone with what looks like a real problem and solution simultaneously, which may prompt a user to take action without considering the risk,” Proofpoint said in the report.

fake error pop-up
Image by Proofpoint.

When run, the script performs various functions. It flushes the DNS cache, removes clipboard content, and displays a decoy message to the user while downloading another remote PowerShell script to execute. The second script is a downloader for yet another script, which checks if the machine is not virtual and then continues to the final, fourth script to download and execute the actual malware.

Lumma Stealer is a frequently used payload that targets crypto wallets. It steals and exfiltrates user information and session tokens.

Attackers were observed using Lumma to download other malicious payloads used to mine and steal cryptocurrencies and perform other nefarious tasks.

There were other similar campaigns displaying fake pop-ups claiming that Chrome failed to update.

Fake pop up
Image by Proofpoint.

Proofpoint describes TA571 as a spam distributor, as it sends high-volume email campaigns to deliver and install a variety of malware for its cybercriminal customers.

“The attack chain is unique and aligns with the overall trend Proofpoint has observed of cybercriminal threat actors adopting new, varied, and increasingly creative attack chains,” the report concludes.

Proofpoint advises organizations to train users to identify and report suspicious activity.