Security experts issued a warning to Google Chrome users after uncovering a cyberattack targeting the browser, as well as Microsoft‘s Word and OneDrive apps.
The attack has used fake error messages to trick users into installing the malicious software themselves as a ‘fix.’
Hackers are sending notifications through email as well as website pop-ups, which claim the user has experienced a software malfunction and need of a quick update.
To spot a fake, experts have advised users to be wary of messages that claim a fix will require them to install a ‘root certificate’ by copying and pasting raw code.
While the cyberattack is capable of stealing all manner of private digital data, some of the new malware appears primed for stealing cryptocurrencies, like bitcoin.
Hackers have a new tactic for sneaking malware onto your computer – fake updates to Google’s Chrome browser, as well as Microsoft’s Word and OneDrive products
The malicious new hacking tactic was uncovered by the prolific cybersecurity firm Proofpoint, founded in 2002 by a former chief technology officer for Netscape.
The new style of ‘fake error messages,’ they warned, ‘is clever and purports to be an authoritative notification coming from the operating system.’
The scheme involves seemingly official prompts from these tech giants, Google and Microsoft, asking users to open what’s known as a ‘command-line shell,’ specifically Microsoft’s version of a command-line tool for Windows, PowerShell.
Command line tools, including Windows PowerShell, are programs designed for more experienced coders to program their own computer’s core code directly.
The hackers’ fake error messages encourage unwitting users to copy and paste raw code and then install it as a ‘fix’ by running or ‘executing’ that code in PowerShell.
Cyber security experts have only seen these hackers deploy this specific ‘fake fix’ scheme via PowerShell, so Apple iOS users should be able to rest easy for now.
The scheme involves seemingly official prompts – like the one pictured above – asking users to open what’s known as a ‘command-line shell,’ a form of software that allows more experienced coders to program their computer more directly, and install a code ‘fix’
‘This attack chain requires significant user interaction to be successful,’ the company noted in their advisory posting on the PowerShell-based cyber threat.
‘It also provides both the problem and a solution,’ they noted, ‘so that a viewer may take prompt action without pausing to consider the risk.’
Any person or prompt telling you to execute raw code into a terminal or shell should be treated with caution and extreme skepticism, they said.
In all cases, these hackers have created their fake error messages via flaws or vulnerabilities inherent to using JavaScript in HTML email attachments or via wholly compromised websites online.
While the overlaid fake Google Chrome, Microsoft Word, and OneDrive errors have been documented, Proofpoint investigators warned that this basic form of hack could pose as other trusted software update requests in the future.
In all cases, cybersecurity experts explained, the hackers created their fake error messages via flaws or vulnerabilities using JavaScript in HTML email attachments or via compromised websites. Above an example of the fake messages, disguised this time as an MS Word prompt
While the overlaid fake Google Chrome, Microsoft Word, and OneDrive errors (example pictured above) have been documented now, Proofpoint investigators warned that this basic form of hack could pose as other trusted software update requests in the future
Two interesting pieces of malicious software gave a clue as to the hackers’ intentions, according to Proofpoint.
One called ‘ma.exe’ downloaded and ran a crypto-currency mining program called XMRig with a specific configuration. The second, ‘cl.exe’ was cleverly designed to replace cryptocurrency addresses in the user’s ‘cut and paste’ clipboard.
In essence, that second malware program was intended to accidentally cause unsuspecting victims to ‘transfer cryptocurrency to a threat actor-controlled address instead of the intended address when doing transfers,’ Proofpoint’s team said.
If a user was copying and pasting a cryptocurrency wallet’s address for sending their digital money along, this malware would quietly swap that copied address for its own dummy wallet’s address.
When the hack’s successful, the user fails to notice the switch and simply sends the cryptocurrency cash to the hacker’s anonymous dummy wallet.
In April, the security experts saw this new method in use alongside the ClearFake cluster of hacking tools, which targeted Apple users last November with what was described as a ‘one hit smash-and-grab’ virus. The new hacks appear to be primed to steal users’ cryptocurrencies
In April, the security experts saw this new method in use alongside the ClearFake cluster of hacking tools, which targeted Apple users last November with what was described as a ‘one hit smash-and-grab’ virus.
The hacker’s malicious PowerShell script acts as a so-called Trojan that allows even more malicious code to be downloaded onto the victim’s system.
First it reportedly performs various diagnostics to confirm that the host device is a valid target.
As a key test, one of the malicious PowerShell scripts would obtain system temperatures from the victim’s computer to detect if the malware was being running on a real computer, or a so-called ‘sandbox’ — a walled-off virtual PC used to handle and analyze potentially dangerous software.
If no temperature data was returned to the malware, that fact was interpreted as a tell revealing that the hacker’s code was actually being run inside a virtual environment or sandbox.
The malware would then exit and abort its operation, protecting the hackers’ later and more detailed malicious code from being caught in the sandbox for study by experts.
Proofpoint’s team advised users to be cautious about copying and pasting code or other text from prompts either on websites or alerts alleging to come from trusted software applications.
‘Antivirus software and EDRs [Endpoint Detection and Response monitoring software],’ they said, ‘have issues inspecting clipboard content.’
The cybersecurity firm also called on businesses to conduct training on this issue and to focus on ‘detection and blocking’ that would prevent these and similar ‘fake fix’ prompts from appearing in the first place.
