Fraudulent Windows Prompt Targets Domain Credentials

Threat actors are utilizing a PowerShell script recently posted on GitHub to generate fraudulent request prompts that attempt to steal Windows domain credentials. If a user enters their credentials, the script will attempt to validate the victim’s domain and, if successful, will transmit the username and password to a remote server. If the credentials are deemed incorrect, the script will continuously display a prompt until the process is manually terminated. Users can close the prompt by opening Task Manager and terminating the “Windows PowerShell” process. Researchers have warned that this script can be altered to display more convincing titles; however, the prompt will still display the blue ribbon and an image of a set of keys. The NJCCIC strongly recommends educating end users about this and similar threats and reminding them to be wary of suspicious prompts requiring the input of account credentials.