Security experts have issued a warning to Google Chrome users after uncovering a cyberattack targeting the browseras well as MicrosoftThe Word and OneDrive apps.
The attack used fake error messages to trick users into installing the malware themselves as a “fix”.
Hackers send email notifications as well as website pop-ups claiming that the user has experienced a software malfunction and needs a quick update.
To spot a fake, experts advised users to be wary of messages claiming a fix would require them to install a “master certificate” by copying and pasting raw code.
While the cyberattack is capable of stealing any kind of private digital data, some of the new malware appears to be poised to steal cryptocurrencies such as Bitcoin.
Hackers have a new tactic to get malware into your computer – fake updates to Google’s Chrome browser, as well as Microsoft’s Word and OneDrive products
The new malicious hacking tactic was uncovered by prolific cybersecurity firm Proofpoint, founded in 2002 by Netscape’s former CTO.
The new style of “fake error messages,” they warned, “is clever and pretends to be an authoritative notification coming from the operating system.”
The scheme involves seemingly official prompts from those tech giants, Google and Microsoft, prompting users to open what’s known as a “command-line shell,” specifically Microsoft’s version of a command-line tool for Windows, PowerShell.
Command-line tools, including Windows PowerShell, are programs designed for more experienced programmers to directly program core code on their own computer.
Hackers’ fake error messages encourage unwitting users to copy and paste raw code and then install it as a “fix” by running or “executing” that code in PowerShell.
Cybersecurity experts have only seen these hackers deploy this specific “fake patch” scheme via PowerShell, so Apple iOS users should be able to rest easy for now.
The scheme involves seemingly official prompts – like the one pictured above – that prompt users to open what’s known as a “command-line wrapper”, a form of software that allows more experienced programmers to program their computer more directly and install patch code ‘
“This attack chain requires significant user interaction to be successful,” the company notes in its PowerShell-based cyberthreat advisory.
“It also provides both the problem and the solution,” they noted, “so that the viewer can take immediate action without pausing to consider the risk.”
Any person or prompt that tells you to run raw code in a terminal or shell should be treated with caution and extreme skepticism, they said.
In all cases, these hackers created their fake error messages through flaws or vulnerabilities inherent in the use of JavaScript in HTML email attachments or through completely compromised websites online.
While the overlay fake bugs in Google Chrome, Microsoft Word and OneDrive have been documented, Proofpoint researchers warned that this basic form of hacking could represent other trusted software update requests in the future.
In all cases, cyber security experts explained, the hackers created their fake error messages through loopholes or vulnerabilities using JavaScript in HTML email attachments or through compromised websites. Above is an example of fake messages, this time disguised as an MS Word prompt
Although the overlay fake bugs in Google Chrome, Microsoft Word and OneDrive (the example pictured above) have been documented now, Proofpoint researchers warned that this basic form of hacking could represent other trusted software update requests in the future
Two interesting pieces of malware have provided insight into the hackers’ intentions, according to Proofpoint.
One called “ma.exe” downloaded and launched a cryptocurrency mining program called XMRig with a specific configuration. The second, “cl.exe”, was cleverly designed to replace cryptocurrency addresses on the user’s clipboard for “cut and paste”.
Essentially, this second malware aimed to accidentally cause unsuspecting victims to “transfer cryptocurrency to a threat-controlled address instead of the intended address when making transfers,” the Proofpoint team said.
If the user copies and pastes a cryptocurrency wallet address to send their digital money, this malware will silently replace that copied address with its own fake wallet address.
When the hack is successful, the user doesn’t notice the switch and simply sends the cryptocurrency money to the hacker’s anonymous fictitious wallet.
In April, security experts saw this new method being used alongside the ClearFake hacking tool cluster, which targeted Apple users last November with what was described as a “one-hit smash-and-grab” virus. The new hacks appear to be aimed at stealing users’ cryptocurrencies
In April, security experts saw this new method being used alongside the ClearFake hacking tool cluster, which targeted Apple users last November with what was described as a “one-hit smash-and-grab” virus.
The hacker’s malicious PowerShell script acts as a so-called Trojan horse that allows even more malicious code to be downloaded onto the victim’s system.
It is first reported to perform various diagnostics to confirm that the host device is a valid target.
As a key test, one of the malicious PowerShell scripts will obtain system temperatures from the victim’s computer to detect whether the malware is running on a real computer or on a so-called “sandbox”—an enclosed virtual computer used to process and analyze potentially dangerous software.
If no temperature data was returned to the malware, this fact was interpreted as a signal revealing that the hacker’s code was actually running in a virtual or sandboxed environment.
The malware will then exit and terminate its operation, protecting the hackers’ later and more detailed malicious code from being caught in the sandbox for expert exploration.
The Proofpoint team advised users to exercise caution when copying and pasting code or other text from website prompts or alerts purporting to come from trusted software applications.
“Antivirus software and EDR [Endpoint Detection and Response monitoring software]they said, “having trouble validating the contents of the clipboard.”
The cybersecurity firm also urged businesses to conduct training on the matter and focus on “detection and blocking” that would prevent these and similar “fake patch” prompts from appearing in the first place.
