Malware peddlers love this one social engineering trick!

Attackers are increasingly using a clever social engineering technique to get users to install malware, Proofpoint researchers are warning.

social engineering installing malware

The message warns of a problem but also offers a way to fix it (Source: Proofpoint)

Social engineering users to install malware

Getting users to install malware on their computers was always a matter of finding the right lure and bypassing security protections. As the latter get better (and broader) and users’ awareness of attackers’ usual tricks increases, threat actors must adapt their tactics.

One method that is getting increasingly popular is the fake error message, whether displayed by a website or when opening an HTML document delivered as an email attachment.

If the desire or need to see the webpage/document is great, many users will go through the outlined steps to “install the root certificate”, “resolve the issue”, “install the extension”, or “update the DNS cache manually”.

“Although the attack chain requires significant user interaction to be successful, the social engineering is clever enough to present someone with what looks like a real problem and solution simultaneously, which may prompt a user to take action without considering the risk,” the researchers noted.


A typical attack chain (Source: Proofpoint)

Detection is difficult

Various attackers – including an initial access broker and at least one actor using leveraging fake updates – have been using this particular trick since March 2024.

The visual lures and instructions change, but the goal is the same: get the user to run PowerShell and install malware (DarkGate, NetSupport, various information stealers).

“In all cases, both via the fake updates or the HTML attachments, the malicious PowerShell/CMD script is copied to the clipboard via browser-side JavaScript, commonly used on legitimate sites, too,” the researchers explained.

“The legitimate use, and the many ways to store the malicious code, and the fact that the victim manually runs the malicious code without any direct association with a file, makes detection for these types of threats difficult.”

If browsing protections and email filters fail to block these sites and emails, users are the last line of defense. “Organizations should train users to identify the activity and report suspicious activity to their security teams,” Proofpoint advises.

Don't miss