Hackers are putting a modern twist on the old “phishing scam” in an attempt to trick victims into downloading dangerous malware onto their computers.
Cybersecurity researchers at Trellix Advanced Research Center have revealed how they recently observed a new campaign targeting Microsoft OneDrive users.
In the campaign, victims receive an email address with an attached HTML file, usually named “Reports.pdf,” in an attempt to trick the victim into thinking it is an important work-related document. When victims open it, they see a window that looks like Microsoft OneDrive, with an error message stating that the device could not be connected and that the error must be fixed manually.
Social engineering tactics
“Could not connect to the cloud service ‘OneDrive’. To fix the error, you must refresh the DNS cache manually.” The message reads: “Could not connect to the cloud service ‘OneDrive’. To fix the error, you must refresh the DNS cache manually.” The window also includes two buttons: “Details” and “How to fix the problem.” By clicking the “Details” button, victims are redirected to a legitimate page on Microsoft Learn that discusses how to troubleshoot DNS issues.
However, the “How to fix this” button triggers a call to the GD function, with a .js script embedded in the .HTML file. It also loads secondary instructions that victims must follow.
“This campaign relies heavily on social engineering tactics to trick users into running a PowerShell script, thereby compromising their systems,” the researchers explain. “This combination of technical jargon and urgent error messages is a classic social engineering tactic, designed to manipulate user emotions and cause hasty action without careful thought.”
This “hasty action” involves opening the Windows PowerShell terminal and then pasting and running a malicious command. Most victims appear to be located in the United States, South Korea, Germany, India, Ireland, Italy, Norway and the United Kingdom.
Since the death of the macro, cybercriminals have been looking for functional alternatives to sharing malware via email.
