Hackers Leveraging New Social Engineering To Run PowerShell And Install Malware

Hackers use social engineering as it focuses on the psychological rather than technological aspects of security flaws, consequently easily tricking users into surrendering their username and password, or executing tasks that are malicious for an organization.

By using social engineering threat actors exploit the loopholes in security systems to deceive them through misleading information and impersonations such as phishing, pretexting, and baiting.

EHA

Cybersecurity researchers at Proofpoint recently discovered that hackers have been actively leveraging the new social engineering to run PowerShell and install malware.

New Social Engineering Technique

There has been an upsurge in social engineering by threat actors like the initial access broker TA571 and a fake update activity cluster who deceive users into copy-pasting dangerous PowerShell scripts to infect their systems.

Through malspam or browser injects, it pops up telling users that there are some errors that they need to correct. Ultimately these run the scripts that eventually bring out malware payloads such as DarkGate, Matanbuchus, NetSupport, and information stealers.

Scan Your Business Email Inbox to Find Advanced Email Threats - Try AI-Powered Free Threat Scan

This technique has been used by TA571 since March 2024 and by the ClearFake cluster since early April of this year lasting up to June.

The ClearFake campaign that Proofpoint targeted adopted a strategy where users are deceived into pasting malicious PowerShell scripts from fake browser update popups on compromised websites.

These were scripts that utilized obfuscation, executed through multiple stages, and ultimately downloaded Lumma Stealer as well as others such as Amadey Loader, mining software for cryptocurrencies or clippers.

ClearFake attack chain (Source – Proofpoint)

By just running the pasted PowerShell script, this multi-stage infection chain could lead to the adoption of not less than five different families of malware.

To make it difficult to detect malware components, technologies like EtherHiding, ZIP executable bundling, and DOILoader were been misused during the operation.

Researchers nicknamed the browser update overlay as “ClickFix” which popped up on compromised websites during mid-April 2024.

It made victims consent to malicious PowerShell scripts that eventually distributed malware named Vidar Stealer. By the middle of May, this was replaced by a similar campaign known as ClearFake.

Since March, TA571 has been running multiple campaigns using HTML lures with fake error messages.

Fake error message (Source – Proofpoint)

These are copied malicious scripts into the clipboard and ask victims to paste and run them in order to get infected with things like Matanbuchus, DarkGate, or NetSupport RAT.

The creative attack chains bypass security controls through trusted applications and user interactions.

Organizations must improve user education so that they can recognize and report such kinds of social engineering attempts.

Free Webinar! 3 Security Trends to Maximize MSP Growth -> Register For Free

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.