Summary:
A sophisticated malware distribution campaign has emerged, utilizing fake error messages resembling Google Chrome, Microsoft Word, and OneDrive issues to deceive users into running malicious PowerShell scripts. This campaign involves several threat actors, including ClearFake, ClickFix, and TA571, known for their previous involvement in spam distribution and malware dissemination.

The attackers leverage compromised websites and HTML attachments with JavaScript to display convincing error overlays. Users are prompted to execute a PowerShell "fix" by copying and pasting commands, ostensibly to resolve the displayed errors. Once executed, these scripts lead to the installation of various malware strains such as DarkGate, Matanbuchus, NetSupport, Amadey Loader, XMRig, a clipboard hijacker, and Lumma Stealer. These payloads aim to steal information, perform crypto-mining, and facilitate further compromise of the infected systems.

Security Officer Comments:
The campaign relies on sophisticated social engineering tactics, presenting users with apparent technical issues and offering quick solutions through the PowerShell scripts. This approach exploits users' trust and urgency to fix perceived problems, bypassing their caution. Three main attack chains have been observed, each targeting different entry points including compromised websites, HTML email attachments posing as Microsoft Word documents, and direct overlays on webpages. This diversification increases the likelihood of successful infections across different user environments.

Suggested Corrections:
To mitigate these threats, organizations and individuals should take proactive steps. Immediate patching and updating software to the latest versions are crucial to closing known vulnerabilities. Security awareness training is essential to educate users about common phishing tactics, including fake error messages, and train them to recognize and report suspicious activities. Implementing robust endpoint protection, email filtering, and web security solutions can detect and block malicious scripts and payloads before they execute. Developing and testing incident response plans helps organizations quickly identify, contain, and mitigate the impact of malware infections.

Link(s):
https://www.bleepingcomputer.com/ne...ou-into-running-malicious-powershell-scripts/