Hackers are giving the old “phishing with errors” scam a modern twist in a bid to trick victims into downloading dangerous malware onto their PCs.
Cybersecurity researchers from the Trellix Advanced Research Center have revealed how they recently observed a new campaign that targets Microsoft OneDrive users.
In the campaign, the victims get an email address with a .HTML file attached, typically named “Reports.pdf”, in an attempt to trick the victim into thinking it’s an important, work-related document. When the victims open it, they get a window that resembles Microsoft OneDrive, with an error message stating that the device could not connect, and that the error needs to be addressed manually.
Social engineering tactics
“Failed to connect to the ‘OneDrive’ cloud service. To fix the error, you need to update the DNS cache manually.” The message reads. The window also features two buttons: “Details”, and “How to fix.” Clicking the “Details” button redirects the victims to a legitimate page on Microsoft Learn that discusses troubleshooting DNS problems.
The “how to fix” button, though, triggers a function call GD, with a .js script embedded in the .HTML file. It also loads secondary instructions that the victims must follow.
“This campaign heavily relies on social engineering tactics to deceive users into executing a PowerShell script, thereby compromising their systems,” the researchers explain. “This combination of technical jargon and urgent error messages is a classic social engineering tactic, designed to manipulate the user’s emotions and prompt hasty action without careful consideration.”
This “hasty action” includes bringing up the Windows PowerShell terminal and then pasting and executing a malicious command. The majority of the victims seem to be located in the US, South Korea, Germany, India, Ireland, Italy, Norway, and the UK.
Ever since the death of the macro, cybercriminals have been looking for working alternatives to sharing malware via email.
