News: 1718782048

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

That PowerShell 'fix' for your root cert 'problem' is a malware loader in disguise

(2024/06/19)


Crafty criminals are targeting thousands of orgs around the world in social-engineering attacks that use phony error messages to trick users into running malicious PowerShell scripts.

This latest Windows malware distribution campaign uses fake Google Chrome, Microsoft Word, and OneDrive error messages that look kinda like real warnings. After visiting a legit but compromised website, victims see some kind of pop-up text box in their browser telling them something went wrong – it's an old but highly effective trick. One worth knowing, we reckon, so that you can help stop colleagues and others falling for it.

Marks are then instructed to click on a "fix" button, and then paste the displayed code into a PowerShell terminal or Windows Run dialog box. This allows PowerShell to run another remote script that downloads and runs the malware on the victim's PC.

[1]

Proofpoint malware hunters have spotted at least two criminal gangs using this technique to infect people's machines. At least one of the gangs is very likely using it to spread ransomware, we're told.

[2]

[3]

"Although the attack chain requires significant user interaction to be successful, the social engineering is clever enough to present someone with what looks like a real problem and solution simultaneously, which may prompt a user to take action without considering the risk," said Tommy Madjar, Dusty Miller, and Selena Larson in a [4]report out this week.

Proofpoint says it spotted a crew dubbed TA571 using this particular PowerShell-powered technique as early as March 1, and the gang behind the [5]ClearFake malware campaign using it since early April. Both were still active in early June, and a third campaign, dubbed ClearFix, has also been testing it out since at least May.

[6]

In these attacks, users visit a compromised website that loads a malicious script "hosted on the blockchain via Binance's Smart Chain contracts," the report states — this is apparently called [7]EtherHiding — which then loads a fake warning box in the browser prompting the victim to install a "root certificate" to fix some fictions problem.

The message includes instructions to copy a PowerShell script and then run it manually on the machine. This script flushes the DNS cache, removes the clipboard's contents, displays a decoy message to the user, and then downloads and runs a remote PowerShell script.

This remote script performs a series of Windows Management Instrumentation checks and then drops in Lumma Stealer malware, which downloads three payloads:

am.exe – Amadey Loader

ma.exe – A downloader that downloaded and ran the XMRig cryptocurrency miner with a specific configuration

cl.exe – A clipboard hijacker designed to replace cryptocurrency addresses in the clipboard, constructed to cause the victim to transfer cryptocurrency to a threat actor-controlled address instead of the intended address when doing transfers

In some cases the Amadey malware downloads others, including a Go-based malware that the threat hunters say they believe to be the JaskaGo software nasty, which can be configured for both Windows and macOS machines.

"This means that in total, five distinct malware families could be executed just by running the one initial PowerShell script," they wrote.

Click-no-fix

The ClearFix campaign used a similar strategy. For this one, the attackers used a compromised website with an injection that leads to an iframe overlay. This one displays as a Google Chrome error message that also tells users to open "Windows PowerShell (Admin)" and then paste the sneaky code, eventually leading to the Vidar Stealer being downloaded and executed.

[8]Malware crooks find an in with fake browser updates, in case real ones weren't bad enough

[9]That didn't take long: Replacement for SORBS spam blacklist arises ... sort of

[10]VMware by Broadcom warns of two critical vCenter flaws, plus a nasty sudo bug

[11]Cops cuff 22-year-old Brit suspected of being Scattered Spider leader

The third campaign, which Proofpoint attributed to TA571, a crew known for the mass spamming of its targets, sent out more than 100,000 phishing emails to thousands of organizations across the globe.

In this one, criminals send emails containing a malicious HTML attachment disguised as a Microsoft Word page. It also shows an error message cautioning that the "Word Online extension is not installed," and then gives them two options: "How to fix" and "Auto-fix."

[12]

Clicking "How to fix" copies a Base64-encoded PowerShell command to the computer's clipboard with a message instructing the user to open PowerShell and right-click the console.

Meanwhile, the "Auto-fix button" uses the [13]search-ms protocol to show a WebDAV-hosted "fix.msi" or "fix.vbs" file.

The MSI file, when executed, installs Matanbuchus, another malware loader, while the VBS file downloads and run the DarkGate attack code.

"Proofpoint assesses with high confidence that TA571 infections can lead to ransomware," the researchers said, noting that this crew is continually modifying its email lures and attack chains.

The security shop also includes examples of indicators of compromise, and advises organizations train employees to spot and report suspicious activity — especially for this type of social engineering attack. ®

Get our [14]Tech Resources



[1] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/research&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2ZnKsQ2pO3ISuSh4E32xWHwAAAAI&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0

[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/research&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZnKsQ2pO3ISuSh4E32xWHwAAAAI&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/research&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZnKsQ2pO3ISuSh4E32xWHwAAAAI&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[4] https://www.proofpoint.com/us/blog/threat-insight/clipboard-compromise-powershell-self-pwn

[5] https://www.theregister.com/2023/10/18/malware_dropping_browser_updates/

[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/research&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZnKsQ2pO3ISuSh4E32xWHwAAAAI&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[7] https://labs.guard.io/etherhiding-hiding-web2-malicious-code-in-web3-smart-contracts-65ea78efad16

[8] https://www.theregister.com/2023/10/18/malware_dropping_browser_updates/

[9] https://www.theregister.com/2024/06/17/infosec_news_in_brief/

[10] https://www.theregister.com/2024/06/18/vmware_criticial_vcenter_flaws/

[11] https://www.theregister.com/2024/06/17/scattered_spider_arrest/

[12] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/research&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZnKsQ2pO3ISuSh4E32xWHwAAAAI&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[13] https://learn.microsoft.com/en-us/windows/win32/search/-search-3x-wds-qryidx-searchms

[14] https://whitepapers.theregister.com/



gryphon

If a company is allowing outbound access to the open internet on a device that allows a normal user to get to an elevated command prompt or shell that's just foolishness anyway notwithstanding this issue.

For home users then that unfortunately goes back to an education issue.

Anonymous Coward

So, for home users:

Despite my mum programming mainframes in 1970 before she had me, my dad is on the polar opposite of the IT spectrum, and needs help with some tasks. However, instilling a sense of cynicism has actually kept him safe: he calls when there's a pop up, or dodgy looking email. Even when I forgot to update my credit card details for GSuite, he called immediately

It's taken a while to get to this point, but I'm proud of him for not falling foul of such miscreants

For enterprise users:

My company runs frequent phishing campaigns which have taught the workforce really good internet hygiene. But, shockingly, despite being referred to training should you click on link, there are still those amongst us which do it. It has been effective, though

Hmm

Anonymous Coward

Since one of the elements targets cryptocurrency addresses are these criminals hoping to get a slice of ransomware criminal activity?

God must have loved calories, she made so many of them.