Proofpoint has detected an increase in the use of a new social engineering tactic: This technique persuades users to copy and paste malicious scripts into PowerShell, resulting in their devices being infected with malware. Attackers, including the TA571 group and the CrearFake collective, are using this method to spread various types of malware such as DarkGate, Matanbuchus, NetSupport, and different info stealers.
The strategy used is quite consistent no matter how the campaign is started. Users are presented with a pop-up window indicating an error when attempting to open a document or web page, providing instructions to copy and paste a malicious script into PowerShell or the Windows Run dialog box and then execute it.
It is clear that this attack method requires user interaction to be successful. That these cybercriminals use error messages and fake notifications in their social engineering strategies is very clever, since they provide both a problem and its solution so that the victim can take action immediately without stopping to think about the possible risks.”, they explain from the Proofpoint research team.
PowerShell on alert
The malicious script is copied to the clipboard using JavaScript, a technique commonly used on legitimate websites. The malicious code is embedded in the website’s HTML, encoded in various ways such as Base64, reverse Base64, or even in plain text in various elements and functions.
Cybercriminals use new social engineering technique to deliver malware via PowerShell
The use of these various legitimate methods to store malicious code, along with the victim executing it manually without direct linking to a file, complicates the detection of these threats. Antivirus and EDR systems face difficulties in analyzing clipboard content, so it is crucial to intercept and block malicious HTML or website before it reaches the victim.
When comparing executing malicious code via PowerShell versus the Windows Run dialog, there are important differences. Using PowerShell requires more steps to open, but once there, the user only needs to right-click to paste and automatically run the code, with no opportunity for prior review.
In contrast, with the Run dialog box, the process can be completed quickly using key combinations: Ctrl+R to open the dialog box, Ctrl+V to paste the code, and Enter to run it. However, this method could raise doubts in the victim, who upon seeing the code could decide to cancel the execution.
