Security experts have warned Google Chrome users after discovering a cyberattack targeting the browserlike Microsoft‘s Word and OneDrive apps.
The attack used fake error messages to trick users into installing the malicious software themselves as a ‘solution’.
Hackers send notifications via email and pop-ups on websites, claiming that the user has encountered a software glitch and needs a quick update.
To spot a fake, experts have advised users to be wary of messages claiming that a fix requires them to install a ‘root certificate’ by copying and pasting raw code.
While the cyberattack is capable of stealing all kinds of personal digital data, some of the new malware appears primed for stealing cryptocurrencies, such as bitcoin.
Hackers have a new tactic to sneak malware onto your computer: fake updates for Google’s Chrome browser, as well as Microsoft’s Word and OneDrive products
The malicious new hacking tactic was discovered by prolific cybersecurity company Proofpoint, founded in 2002 by a former Chief Technology Officer of Netscape.
The new style of “fake error messages,” they warned, “is clever and claims to be an authoritative message coming from the operating system.”
The plan includes apparently official directions from these tech giants, Google and Microsoft, asking users to open a so-called “command-line shell,” specifically Microsoft’s version of a command-line utility for Windows, PowerShell.
Command-line tools, including Windows PowerShell, are programs designed for more experienced programmers to directly program the core code of their own computer.
The hackers’ fake error messages encourage unwitting users to copy and paste raw code and then install it as a “fix” by running or “executing” that code in PowerShell.
Cybersecurity experts have only seen these hackers deploy this specific “fake fix” scheme via PowerShell, so Apple iOS users should rest easy for now.
The scheme involves apparently official prompts (as pictured above) asking users to open a so-called ‘command-line shell’, a form of software that allows more experienced programmers to program their computer more directly and install a code ‘fix’. ‘
“This attack chain requires significant user interaction to be successful,” the company noted their advisory post about the PowerShell-based cyber threat.
“It provides both the problem and the solution,” they noted, “so a viewer can quickly take action without thinking about the risk.”
Any person or prompt that tells you to run raw code in a terminal or shell should be treated with caution and extreme skepticism, they said.
In all cases, these hackers have created their fake error messages through flaws or vulnerabilities inherent in the use of JavaScript in HTML email attachments or through completely compromised websites online.
While the overlapping fake Google Chrome, Microsoft Word, and OneDrive flaws have been documented, Proofpoint researchers warned that this basic form of hack could masquerade as other trusted software update requests in the future.
In all cases, cybersecurity experts explained, the hackers created their fake error messages through flaws or vulnerabilities using JavaScript in HTML email attachments or via compromised websites. Above is an example of the fake messages, this time disguised as an MS Word prompt
Although the overlapping fake Google Chrome, Microsoft Word, and OneDrive errors (example pictured above) have now been documented, Proofpoint researchers warned that this basic form of hack could masquerade as other trusted software update requests in the future
According to Proofpoint, two interesting pieces of malicious software provided a clue as to the hackers’ intentions.
One called ‘ma.exe’ downloaded and ran a cryptocurrency mining program called XMRig with a specific configuration. The second, ‘cl.exe’, is cleverly designed to replace cryptocurrency addresses in the user’s ‘cut-and-paste’ clipboard.
Essentially, that second malware program was intended to accidentally cause unsuspecting victims to “transfer cryptocurrency to a threat actor-controlled address instead of the intended address when performing transfers,” according to the Proofpoint team.
If a user were to copy and paste the address of a cryptocurrency wallet to send their digital money, this malware would silently exchange that copied address for the address of its own dummy wallet.
When the hack is successful, the user does not notice the switch and simply sends the cryptocurrency funds to the hacker’s anonymous dummy wallet.
In April, security experts saw this new method in use alongside the ClearFake cluster of hacking tools, which attacked Apple users last November with what was described as a ‘one hit smash-and-grab’ virus. The new hacks appear aimed at stealing users’ cryptocurrencies
In April, security experts saw this new method in use alongside the ClearFake cluster of hacking tools, which attacked Apple users last November with what was described as a ‘one hit smash-and-grab’ virus.
The hacker’s malicious PowerShell script acts as a so-called Trojan that can download even more malicious code onto the victim’s system.
First, it reportedly runs various diagnostics to confirm that the host device is a valid target.
As a key test, one of the malicious PowerShell scripts would obtain the system temperatures of the victim’s computer to detect whether the malware was running on a real computer, or on a so-called ‘sandbox’ – a walled virtual PC used to and potentially analyze dangerous software.
If no temperature data was sent back to the malware, that fact was interpreted as a sign revealing that the hacker’s code was actually running in a virtual environment or sandbox.
The malware would then shut down and abort its operation, protecting the hackers’ later and more detailed malicious code from scrutiny by experts in the sandbox.
The Proofpoint team advised users to be cautious about copying and pasting code or other text from website prompts or from warnings purported to come from trusted software applications.
“Antivirus software and EDRs (Endpoint Detection and Response monitoring software),” they said, “have difficulty inspecting the contents of the clipboard.”
The cybersecurity firm also called on companies to provide training on the subject and focus on ‘detection and blocking’ to prevent these and similar ‘fake fix’ prompts from appearing in the first place.