A technically complicated warning for Google Chrome users has just been issued, but thankfully it’s one with a stupidly simple instruction that you must follow to avoid being attacked.
The warning comes courtesy of Proofpoint, which has says it has “observed an increase in a technique leveraging unique social engineering that directs users to copy and paste malicious PowerShell scripts to infect their computers with malware.”
The research team suggests multiple treat actors have been using the technique, delivering various forms of malware in the process. It’s easy to spot, though, and so once aware users should find it very easy to prevent an infection. These are actually instructions you should be following anyway.
While using Chrome, a user will see a popup textbox “that suggests an error occurred when trying to open the document or webpage.” The popup provides instructions on copying and pasting text into either a PowerShell terminal or Windows Run dialog box.
On the surface, one might assume this would be easy to identify as unusual and to ignore. But Proofpoint warns that “although the attack chain requires significant user interaction to be successful, the social engineering is clever enough to present someone with what looks like a real problem and solution simultaneously, which may prompt a user to take action without considering the risk.”
The attack itself displays the usual defensive behaviors one would expect these days—it attempts to check if the device is a virtual or sandboxed environment before downloading and installing malware, making it less likely to be detected. If all is green-lit, it installs threats in the background.
Proofpoint attributes the attack to spam distributor TA571, which specialised in “high volume spam email campaigns to deliver and install a variety malware for their cybercriminal customers,” and ClearFake, which popped up last year as “a newcomer to the ‘fake updates’ threats landscape.”
The focus of much of the installed malware itself appears to be credential theft as well as triggering fraudulent crypto transactions, where a user has used the device to make their own crypto transfers.
The fake update attack conops is becoming more prevalent, and we have seen multiple instances of Google Chrome being the chosen front-end for this. With 3-billion-plus users across all platforms, this is no surprise. but it makes it doubly important that Chrome users are extra vigilant to updates and add-ons. Chrome provides clear instructions on manual and automated updates.
In general, the threat landscape has picked up in recent months and dangerous installs and add-ons from third-party sites, as well as malicious popups as seen here have become a nasty trend.
As Proofpoint warns, this latest attack “aligns with the overall trend Proofpoint has observed of cybercriminal threat actors adopting new, varied, and increasingly creative attack chains.”
Fortunately, such attacks should be straightforward to detect and avoid.
Here are three simple rules:
- Stick to official app stores—don’t use third-party stores and never change your device’s security settings to enable an app to load.
- Never ever click links in emails or messages that directly download apps or updates—always use app stores or apps themselves for installs and updates.
- Do not install apps, add-ons or updates that link to established apps like Chrome unless you know for an absolute fact they’re legitimate—check reviews and online write-ups.
