Criminals are targeting thousands of organizations worldwide with social engineering attacks that use fake error messages to trick users into running malicious PowerShell scripts.

This new Windows malware campaign uses bogus error messages from Google Chrome, Microsoft Word, and OneDrive that appear legitimate. When victims visit a compromised website, they encounter a pop-up error message in their browser. This tactic, although old, remains highly effective. It's crucial to be aware of this trick to prevent others from falling for it.

Victims are instructed to click a "fix" button and paste the displayed code into a PowerShell terminal or Windows Run dialog box. This action allows PowerShell to execute another remote script that downloads and installs malware on the victim's computer.

Proofpoint malware researchers have identified at least two criminal groups using this method. One of these groups is likely using it to spread ransomware.

"Although the attack chain requires significant user interaction to be successful, the social engineering is clever enough to present someone with what looks like a real problem and solution simultaneously, which may prompt a user to take action without considering the risk," stated Tommy Madjar, Dusty Miller, and Selena Larson in a recent report.

Proofpoint discovered a group named TA571 employing this PowerShell technique as early as March 1, and another gang behind the ClearFake malware campaign has been using it since early April. Both groups were still active in early June, and a third campaign, dubbed ClearFix, has been testing it out since at least May.

In these attacks, users visit a compromised website that loads a malicious script hosted on the blockchain via Binance's Smart Chain contracts, known as EtherHiding. This script then triggers a fake warning box in the browser, prompting the victim to install a "root certificate" to fix a fictitious problem.

The warning message includes instructions to copy a PowerShell script and run it manually. This script flushes the DNS cache, clears the clipboard, displays a decoy message, and then downloads and executes a remote PowerShell script.

The remote script conducts Windows Management Instrumentation checks and then deploys Lumma Stealer malware, which downloads three payloads:

am.exe – Amadey Loader

ma.exe – A downloader that installs the XMRig cryptocurrency miner with a specific configuration

cl.exe – A clipboard hijacker that replaces cryptocurrency addresses in the clipboard to redirect funds to the threat actor's address during transactions

In some cases, the Amadey malware also downloads additional malware, including a Go-based threat believed to be JaskaGo, which can target both Windows and macOS systems.

"This means that in total, five distinct malware families could be executed just by running the one initial PowerShell script," the researchers noted.

The ClearFix campaign used a similar tactic. Attackers employed a compromised website with an iframe overlay, displaying a Google Chrome error message instructing users to open "Windows PowerShell (Admin)" and paste malicious code, ultimately leading to the Vidar Stealer being downloaded and executed.

In another campaign attributed to TA571, the group sent out over 100,000 phishing emails to thousands of organizations globally. These emails contained a malicious HTML attachment disguised as a Microsoft Word page, displaying an error message about the "Word Online extension not being installed," and offering two options: "How to fix" and "Auto-fix."

Clicking "How to fix" copies a Base64-encoded PowerShell command to the clipboard, instructing the user to open PowerShell and paste the command. The "Auto-fix" button uses the search-ms protocol to display a WebDAV-hosted "fix.msi" or "fix.vbs" file.

Executing the MSI file installs Matanbuchus, another malware loader, while the VBS file downloads and runs the DarkGate attack code.

"Proofpoint assesses with high confidence that TA571 infections can lead to ransomware," the researchers said, noting that this group continually modifies its email lures and attack chains.

The security firm also provided examples of indicators of compromise and advised organizations to train employees to recognize and report suspicious activity, particularly social engineering attacks of this nature.