Beware: Hackers Are Hiding Malware Within Software Fixes

Tyler Cross
Tyler Cross Senior Writer
Tyler Cross Tyler Cross Senior Writer

If you see an error message while using Google that’s asking you to “install root certificate,” avoid clicking on the pop-up.

Hackers invented a new type of social engineering scheme that sees them deploy a fake error message onto Chrome pages to trick people into sabotaging their own system. They tell you that there’s a problem, and then instruct you to perform a certain fix while providing the download button, all under the guise of an official Google error message.

The trickiest part of this scam is that they closely mirror Google’s design. Any casual user might see the error message and think their Chrome browser is out of date.

If you click the message, these criminals can inject your device with malware, including infostealers, ransomware, cryptojackers, and spyware.

“Users are shown a popup textbox that suggests an error occurred when trying to open a document or webpage, and instructions are provided to copy and paste a malicious script into the PowerShell terminal or the Windows Run dialog box to eventually run the script via PowerShell,” said the Proofpoint researchers.

They also use a tool called Lumma to target crypto wallets and steal general information. After the malware installation, Lumma allows them to steal your session tokens and drain funds from your wallet.

Researchers with Proofpoint first learned about these attacks by studying a threat actor marked TA571. After discovering the threat, they quickly found multiple criminals employing similar methods.

“TA571 continues to modify and update its lures and attack chains while using the PowerShell clipboard technique,” the report said.

“On 28 May 2024, Proofpoint identified a TA571 campaign using HTML attachments that used a different error message. Notably, this campaign included instructions for the victim to click the “Fix” button to “install the root certificate”, which is language that (previous) error messages used.”

Be wary of any error messages that appear while you’re online, even if they look official.

About the Author
Tyler Cross
Tyler Cross
Senior Writer

About the Author

Tyler is a writer at SafetyDetectives with a passion for researching all things tech and cybersecurity. Prior to joining the SafetyDetectives team, he worked with cybersecurity products hands-on for more than five years, including password managers, antiviruses, and VPNs and learned everything about their use cases and function. When he isn't working as a "SafetyDetective", he enjoys studying history, researching investment opportunities, writing novels, and playing Dungeons and Dragons with friends.

Leave a Comment