Security experts have issued a warning to Google Chrome users after discovering a cyber attack targeting the browserAs well as MicrosoftWord and OneDrive applications.
The attack used fake error messages to trick users into installing the malicious software themselves as a “fix”.
Hackers send alerts via email as well as website pop-ups claiming that the user has experienced a software malfunction and needs a quick update.
To spot a fake, experts advised users to beware of messages claiming that the fix will require installing a “root certificate” by copying and pasting the raw code.
While cyberattacks are capable of stealing all kinds of private digital data, some of the new malware appears to be geared toward stealing cryptocurrencies like Bitcoin.
Hackers have a new tactic to sneak malware onto your computer – fake updates to Google’s Chrome browser, as well as Microsoft Word and OneDrive.
The prolific cyber security firm Proofpoint, founded in 2002 by Netscape’s former chief technology officer, has revealed a new insidious hacking tactic.
The new style of “fake error messages,” they warned, “is clever and pretends to be an authoritative notification coming from the operating system.
The scheme involves seemingly official calls from these tech giants, Google and Microsoft, asking users to open what’s known as a “command prompt,” specifically Microsoft’s version of Windows’ command-line tool, PowerShell.
Command-line tools, including Windows PowerShell, are programs designed for more experienced coders to directly program their own computer’s core code.
Fake hacker error messages encourage unwitting users to copy and paste raw code and then install it as a “fix” by running or “running” that code in PowerShell.
Cybersecurity experts have seen these hackers deploy this specific “fake patch” scheme via PowerShell, so Apple iOS users should rest easy for now.
The scheme involves seemingly official prompts — like the one pictured above — asking users to open what’s known as a “command prompt,” a form of software that allows more experienced coders to program their computer more directly and install a code patch. ‘
“This attack chain requires significant user interaction to be successful,” the company noted in its PowerShell-based cyberthreat bulletin.
“It also provides both a problem and a solution,” they noted, “so the viewer can act quickly without dwelling on the risk.”
Any person or prompt that tells you to run raw code in a terminal or shell should be treated with caution and extreme skepticism, they said.
In all cases, these hackers created their fake error messages through flaws or vulnerabilities associated with the use of JavaScript in HTML email attachments or through completely compromised websites online.
While overlapping Google Chrome, Microsoft Word, and OneDrive fake bugs have been documented, Proofpoint investigators warned that this basic form of hack could introduce more credible software update requests in the future.
In all cases, cyber security experts explained, the hackers created their fake error messages through JavaScript bugs or vulnerabilities in HTML email attachments or through compromised websites. The above is an example of fake news, this time disguised as an MS Word prompt
While the overlapping Google Chrome, Microsoft Word, and OneDrive fake bugs (example pictured above) have now been documented, Proofpoint investigators have warned that this basic form of hack could introduce more credible software update requests in the future.
According to Proofpoint, two interesting pieces of malware hinted at the hackers’ intentions.
One called ‘ma.exe’ downloaded and ran a cryptocurrency mining program called XMRig with a specific configuration. The second, ‘cl.exe’, was cleverly designed to ‘cut and paste’ cryptocurrency addresses into the user’s clipboard.
Essentially, this second malware program was intended to accidentally cause unsuspecting victims to “transfer cryptocurrency to an address controlled by the threat actor instead of the intended address” when making transfers, the Proofpoint team said.
If a user were to copy and paste the address of a cryptocurrency wallet to send their digital money to, this malware would silently replace the copied address with its own dummy wallet address.
When the hack is successful, the user ignores the switch and simply sends the cryptocurrency cash to the hacker’s anonymous fictitious wallet.
In April, security experts saw this new method being used alongside the ClearFake hacking tool cluster that targeted Apple users last November with what was described as a “smash-and-grab” virus. It seems that new hacks are ready to steal users’ cryptocurrencies
In April, security experts saw this new method being used alongside the ClearFake hacking tool cluster that targeted Apple users last November with what was described as a “smash-and-grab” virus.
The hacker’s malicious PowerShell script acts as a so-called Trojan horse that allows even more malicious code to be downloaded onto the victim’s system.
First, it supposedly performs various diagnostics to confirm that the host device is a valid target.
As a key test, one of the malicious PowerShell scripts would obtain system temperatures from the victim’s computer to determine whether the malware is running on a real computer or in a so-called “sandbox” — a walled-off virtual machine used to process and analyze potentially dangerous software.
If no temperature data was returned to the malware, this was interpreted as a message revealing that the hacker’s code was actually running in a virtual environment or sandbox.
The malware would then leave and cease its activity, protecting the hackers’ later and more detailed malicious code from being caught in the sandbox for study by experts.
The Proofpoint team advised users to exercise caution when copying and pasting code or other text from website prompts or alerts purporting to come from trusted software applications.
“Antivirus software and EDR [Endpoint Detection and Response monitoring software]’ they said, ‘they are having trouble checking the contents of the mailbox.’
The cyber security firm also urged businesses to conduct training on the issue and focus on “detection and blocking” to prevent these and similar “fake patch” calls from appearing in the first place.