Social Engineering and PowerShell Combine in Convincing Phishing Campaigns

An ongoing campaign exploiting social engineering techniques to manipulate users into executing malicious PowerShell scripts has been reported by Proofpoint researchers. This campaign is attributed to the initial access broker TA571 and is also, associated with the ClearFake activity cluster focusing on the fictitious browser update scheme. The attacks, observed as early as March 1, 2024, involve spam emails that deceive users into thinking there is a legitimate issue that requires downloading and running a solution, cleverly presented as a benign intervention. Proofpoint emphasizes the effective lure of these social engineering tactics, noting, "Although the attack chain requires significant user interaction to be successful, the social engineering is clever enough to present someone with what looks like a real problem and solution simultaneously, which may prompt a user to take action without considering the risk." This method has proven effective over several months with variations to the campaign in April, May, and June, indicating a persistent and adaptive approach by the attackers.

Various implementations of these techniques have been reported, with documents and webpages prompting user interaction. This initial interaction leads to the execution of PowerShell commands. Users are often instructed to enter these commands manually into the Run dialogue box or directly into their PowerShell interface. Proofpoint researchers note the defensive challenges with this technique as "the fact that the victim manually runs the malicious code without any direct association with a file, makes detection for these types of threats difficult." Additional evasion attempts include the use of padding in files to yield different file hashes and to avoid virtual hosts/sandboxes, a PowerShell command using WMI, queried the system temperature to distinguish the host. The PowerShell commands executed initiate a series of malicious activities, including downloading and executing various payloads such as short 1-2 character named executables, the 'DllUnregisterServer' function for DLLs, VBS, MSI, HTA, or zip files. These files set up for the installation and execution of malware like Amadey, DarkGate, NetSupport RAT, clipboard hijackers, XMRig, and Vidar Stealer.

The malware variants dropped by these PowerShell scripts underline the versatility and danger posed by these attacks. The diversity of malware types, ranging from information stealers to cryptocurrency miners, indicates a broad set of objectives that can impact a large pool of individuals and organizations. In an effort to fuel the gathering of desired data and compromised credentials serving as initial access brokers, TA571 has been active since March 2024, casting a wide net with their campaign as many as 100,000 spam messages were observed by Proofpoint to have been distributed to "thousands of organizations globally." While this social engineering campaign has been utilized and iterated by TA571 and the ClearFake activity cluster, which is not attributed to a threat actor, Proofpoint clarifies for attribution the two are "not associated with each other in any other way," only leveraging the same attack technique.