Fake Google Chrome errors trick you into running malicious PowerShell scripts

[Gandalf_The_Grey]

Content source

https://www.bleepingcomputer.com/news/security/fake-google-chrome-errors-trick-you-into-running-malicious-powershell-scripts/

A new malware distribution campaign uses fake Google Chrome, Word, and OneDrive errors to trick users into running malicious PowerShell "fixes" that install malware.

The new campaign was observed being used by multiple threat actors, including those behind ClearFake, a new attack cluster called ClickFix, and the TA571 threat actor, known for operating as a spam distributor that sends large volumes of email, leading to malware and ransomware infections.

Previous ClearFake attacks utilize website overlays that prompt visitors to install a fake browser update that installs malware.

Threat actors also utilize JavaScript in HTML attachments and compromised websites in the new attacks. However, now the overlays display fake Google Chrome, Microsoft Word, and OneDrive errors.

These errors prompt the visitor to click a button to copy a PowerShell "fix" into the clipboard and then paste and run it in a Run: dialog or PowerShell prompt.

"Although the attack chain requires significant user interaction to be successful, the social engineering is clever enough to present someone with what looks like a real problem and solution simultaneously, which may prompt a user to take action without considering the risk," warns a new report from ProofPoint.

The payloads seen by Proofpoint include DarkGate, Matanbuchus, NetSupport, Amadey Loader, XMRig, a clipboard hijacker, and Lumma Stealer.

Fake Google Chrome errors trick you into running malicious PowerShell scripts

A new malware distribution campaign uses fake Google Chrome, Word, and OneDrive errors to trick users into running malicious PowerShell "fixes" that install malware.

www.bleepingcomputer.com

 

[Andy Ful]

A new malware distribution campaign uses fake Google Chrome, Word, and OneDrive errors to trick users into running malicious PowerShell "fixes" that install malware.

One could ask a question: Why do the attackers bother to use scripting to install malware? They could use a password-protected archive (.zip, rar, etc.) or disk images (.iso, .img, etc.) to deliver the same malware.
The difference is due to the Windows SmartScreen. When the malware is downloaded via scripting, it does not have the Mark of the Web (MotW), so SmartScreen for Explorer is not triggered on malware execution.
If the attackers use an archive or disk image (a popular method two years ago), the SmartScreen is triggered on malware execution. Last year, Microsoft extended MotW propagation for disk images. Also, many archiver applications currently propagate MotW to the unpacked content.

Having in mind the effort put by attackers into avoiding SmartScreen, it must still be a very efficient protection, that can be used with any AV.
A similar note is true for Smart App Control (SAC). The scripting method from the article (no .ps1 file scripts) combined with script payload (.hta, .vbs, etc.) can bypass SAC as well.