Cybercriminals have launched large-scale attacks using methods of social engineering against thousands of organizations around the world. Their preferred tactic is to deceive victims into running harmful PowerShell scripts under the guise of solving a supposedly emerging technical issue.
These attacks are primarily aimed at infecting systems running Windows. Attackers create fake errors in popular programs such as Google Chrome, Microsoft Word, and OneDrive. When a user visits a seemingly legitimate but compromised website, a notification claiming a problem appears in their browser.
The victim is then prompted to click the “Fix” button and input the displayed code into the PowerShell terminal or click “Perform” in Windows.
Proofpoint researchers have identified at least two criminal groups utilizing this attack method. One of the groups is suspected to be involved in extortion.
According to Proofpoint, a group known as Ta571 has been using this method since March 1, while the Clearfake campaign group started in early April and remained active until early June. A third campaign, Clearfix, also tested this attack vector starting in May.
During these attacks, malicious scripts are injected into legitimate sites, stored on the blockchain through Binance Smart Chain smart contracts (a technique known as EtherHiding). The malicious script then triggers a fake warning window in the victim’s browser, prompting them to install a “root certificate” to resolve a fictitious issue.
The message includes instructions for copying the PowerShell script and manually launching it on the victim’s computer. The script clears the DNS cache, empties the contents of the clipboard, displays a fake message, and then loads and executes another remote script.
The remote script performs checks on Windows Management Instrumentation before deploying the Lumma Stealer, which proceeds to upload three malicious files: the Amadey Loader, the XMRIG cryptocurrency miner bootloader with a specific configuration, and a cryptocurrency exchange buffer hijacker that replaces wallet addresses with those controlled by the attackers.
In some instances, the Amadey Loader installs additional malicious programs, including GO, a malicious JASKAGO capable of operating on both Windows and MacOS according to Proofpoint.
Similar tactics were used in the Clearfix campaign, with criminals displaying a fake Google Chrome error, prompting victims to open PowerShell and input the malicious code, resulting in the download and activation of the Vidar Stealer infostler.