Proofpoint has observed an increase in a technique leveraging unique social engineering that directs users to copy and paste malicious PowerShell scripts to infect their computers with malware.
Threat actors including initial access broker TA571 and at least one fake update activity set are using this method to deliver malware including DarkGate, Matanbuchus, NetSupport, and various information stealers. Whether the initial campaign begins via malspam or delivered via web browser injects, the technique is similar. Users are shown a popup textbox that suggests an error occurred when trying to open the document or webpage, and instructions are provided to copy and paste a malicious script into the PowerShell terminal, or the Windows Run dialog box to eventually run the script via PowerShell.
Read more…
Source: Proofpoint
Related:
- Financial malware more than twice as prevalent as ransomware
June 1, 2017
Three Trojans dominated the financial threat landscape in 2016 and attackers increased their focus on corporate finance departments With all the attention ransomware is getting lately it’s easy to overlook other threats, such as those that target the financial sector and its customers. However, these types of threats are a serious and costly problem for both ...
- Group Behind NSA Dump That Led to WannaCry Opens 0-Day Exploit Subscription
May 30, 2017
Infamous hacking group Shadow Brokers has promised to release more zero-day exploits, such as the one that has made life a misery for some 300,000 people across the world via WannaCry. Now, the group isn’t just after wreaking havoc, but also after making some money, since the releases will be made for a special club ...
- Naked photos and personal info from thousands of plastic surgery patients including dozens of celebrities and 1,500 Britons are published on the dark web
May 30, 2017
Hackers have published naked photos of thousands of plastic surgery patients who had work done at a Lithuanian clinic, it has been reported. Local authorities said more than 25,000 private photos and pieces of personal information from the Kaunas-based Grozio Chirurgija clinics were published on the internet. The leak includes intimate photos and data of more than ...
- Linguistic Analysis Suggests WannaCry Hackers Could be From Southern China
May 29, 2017
It’s been almost four weeks since the outcry of WannaCry ransomware, but the hackers behind the self-spread ransomware threat have not been identified yet. However, two weeks ago researchers at Google, Kaspersky Lab, Intezer and Symantec linked WannaCry to ‘Lazarus Group,’ a state-sponsored hacking group believed to work for the North Korean government. Now, new research from ...
- Fancy Bear Hackers Tainted Dumped Emails with False Data
May 27, 2017
Hackers from Fancy Bear, the espionage hacker group with Russian ties, reportedly snuck false information in the data trove they leaked from the Democratic National Committee during the American elections. According to a report from Citizen Lab, an organization with ties to the University of Toronto, the hackers planted information inside emails belonging to a journalist ...
- EternalRocks spreads seven Windows SMB exploits
May 23, 2017
Someone has stitched together seven of the Windows SMB exploits leaked by the ShadowBrokers, creating a worm that has been spreading through networks since at least the first week of May. Researcher Miroslav Stampar, a member of the Croatian government’s CERT, captured a sample of the worm last Wednesday in a Windows 7 honeypot he runs, ...