That PowerShell 'fix' for your root cert 'problem' is a malware loader in disguise

Control-C, Control-V, Enter ... Hell

Crafty criminals are targeting thousands of orgs around the world in social-engineering attacks that use phony error messages to trick users into running malicious PowerShell scripts. 

This latest Windows malware distribution campaign uses fake Google Chrome, Microsoft Word, and OneDrive error messages that look kinda like real warnings. After visiting a legit but compromised website, victims see some kind of pop-up text box in their browser telling them something went wrong – it's an old but highly effective trick. One worth knowing, we reckon, so that you can help stop colleagues and others falling for it.

Marks are then instructed to click on a "fix" button, and then paste the displayed code into a PowerShell terminal or Windows Run dialog box. This allows PowerShell to run another remote script that downloads and runs the malware on the victim's PC.

Proofpoint malware hunters have spotted at least two criminal gangs using this technique to infect people's machines. At least one of the gangs is very likely using it to spread ransomware, we're told.

"Although the attack chain requires significant user interaction to be successful, the social engineering is clever enough to present someone with what looks like a real problem and solution simultaneously, which may prompt a user to take action without considering the risk," said Tommy Madjar, Dusty Miller, and Selena Larson in a report out this week.

Proofpoint says it spotted a crew dubbed TA571 using this particular PowerShell-powered technique as early as March 1, and the gang behind the ClearFake malware campaign using it since early April. Both were still active in early June, and a third campaign, dubbed ClearFix, has also been testing it out since at least May.

In these attacks, users visit a compromised website that loads a malicious script "hosted on the blockchain via Binance's Smart Chain contracts," the report states — this is apparently called EtherHiding — which then loads a fake warning box in the browser prompting the victim to install a "root certificate" to fix some fictitious problem.

The message includes instructions to copy a PowerShell script and then run it manually on the machine. This script flushes the DNS cache, removes the clipboard's contents, displays a decoy message to the user, and then downloads and runs a remote PowerShell script. 

This remote script performs a series of Windows Management Instrumentation checks and then drops in Lumma Stealer malware, which downloads three payloads:

am.exe – Amadey Loader

ma.exe – A downloader that downloaded and ran the XMRig cryptocurrency miner with a specific configuration

cl.exe – A clipboard hijacker designed to replace cryptocurrency addresses in the clipboard, constructed to cause the victim to transfer cryptocurrency to a threat actor-controlled address instead of the intended address when doing transfers

In some cases the Amadey malware downloads others, including a Go-based malware that the threat hunters say they believe to be the JaskaGo software nasty, which can be configured for both Windows and macOS machines.

"This means that in total, five distinct malware families could be executed just by running the one initial PowerShell script," they wrote.


The ClearFix campaign used a similar strategy. For this one, the attackers used a compromised website with an injection that leads to an iframe overlay. This one displays as a Google Chrome error message that also tells users to open "Windows PowerShell (Admin)" and then paste the sneaky code, eventually leading to the Vidar Stealer being downloaded and executed.

The third campaign, which Proofpoint attributed to TA571, a crew known for the mass spamming of its targets, sent out more than 100,000 phishing emails to thousands of organizations across the globe.

In this one, criminals send emails containing a malicious HTML attachment disguised as a Microsoft Word page. It also shows an error message cautioning that the "Word Online extension is not installed," and then gives them two options: "How to fix" and "Auto-fix."

Clicking "How to fix" copies a Base64-encoded PowerShell command to the computer's clipboard with a message instructing the user to open PowerShell and right-click the console. 

Meanwhile, the "Auto-fix button" uses the search-ms protocol to show a WebDAV-hosted "fix.msi" or "fix.vbs" file.

The MSI file, when executed, installs Matanbuchus, another malware loader, while the VBS file downloads and run the DarkGate attack code.

"Proofpoint assesses with high confidence that TA571 infections can lead to ransomware," the researchers said, noting that this crew is continually modifying its email lures and attack chains.

The security shop also includes examples of indicators of compromise, and advises organizations train employees to spot and report suspicious activity — especially for this type of social engineering attack. ®

More about


Send us news

Other stories you might like