Fake Chrome Error Tricks Users into Running Malicious Scripts

A new malware distribution campaign uses fake Chrome errors to trick users into running malicious PowerShell “fixes” that install malware.

Previously, ClearFake attacks used website overlays that prompt visitors to install a fake browser update that then installs malware. Threat actors have used JavaScript in HTML attachments and compromised websites in the new attacks, but now the overlays display fake Chrome errors.

These errors prompt the user to click a button to copy a PowerShell “Fix” into the clipboard and then paste and run it in a Run: dialog or PowerShell prompt.

Reports have stipulated that although the attack chain requires significant user interaction to be successful, the social engineering is smart enough to trick someone into thinking the are solving a legitimate issue without considering the risk.

The threat actors behind ClearFake need to use a compromised website that loads the malicious script hosted elsewhere. The script does some checks and then displays a fake Chrome warning stating there is a problem displaying the webpage. The dialog then prompts the user to install a “root certificate” (which is jargon to trick the user) by copying a PowerShell script into the clipboard and running it in a Windows PowerShell console.

Fake Google Chrome error.
Source: Proofpoint

After the PowerShell script is executed, it will perform steps to confirm the device is a valid target. Then, it will download additional malware payloads, outlined below.

  • Flushes the DNS cache.
  • Removes clipboard content.
  • Displays a decoy message.
  • Downloads another remote PowerShell script which checks if it is running on a virtual machine and if not, download information stealing malware.

In all cases, the threat actor take exploit their targets lack of awareness about the risks of executing PowerShell commands on their systems. Be wary of any new prompts and try to avoid sites you do not trust.

Never run any code or scripts unless you know exactly what you are doing and are sure it is from a trusted source.

Similar Posts