In recent times, it’s been observed that fake malware-loaded browser updates are gaining rapid growth in the threat landscape.
Rapid7 researchers recently identified a Fake Browser Update lure that tricks users into running malicious binaries, using a new loader to deploy the following info stealers on compromised systems:-
- StealC
- Lumma
- Amadey
Rapid7 discovered the IDAT loader in July 2023, initially disguised as a 7-zip installer for SecTop RAT. It’s now distributing the above-mentioned info stealers using the following evasion methods:-
- Process Doppelganging
- DLL Search Order Hijacking
- Heaven’s Gate
However, besides this, the name of the IDAT loader comes from reserving the payload in the IDAT piece of PNG files. Before this technique, threat actors used malicious JavaScript files to connect to C2 servers or deploy the Net Support RAT.
Attack Flow
Threat actors strive to evade detection and prevent security research in their attack strategies. To do so, they always stage their in different stages or segments to make it more complex.
Attack Stages
Here below, we have mentioned all the attack stages:-
Stage 1 – ClearFake: ClearFake is a recently discovered malware linked to an IDAT loader distribution starting on July 19, 2023. It’s less sophisticated than SocGolish, using base64 for obfuscation.
Notably, it doesn’t track visits by IP or cookies, allowing repeated access from the same IP without clearing the cache.
The prompt masquerades as a genuine browser update and redirects the user to download a binary named ChromeSetup.exe, previously used in SocGholish attacks and now by Clearfake.
Stage 2 – MSI Downloader: ChromeSetup.exe downloads an MSI package that writes legitimate files, a malicious DLL, and an encrypted log file decrypted by the malicious DLL. Another attack version drops legitimate files and uses a different encrypted log file.
Stage 3 – Decryptor: The legitimate VMWareHostOpen.exe employs DLL Search Order Hijacking to load the malicious vmtools.dll from the same directory. This DLL uses XOR encryption, extracts data from vmo.log, and decompresses it using LZNT1. It then loads mshtml.dll and executes the decompressed code.
Stage 4 – IDAT Injector: IDAT loader uses dynamic imports and expands environment variables to create folders for copied files. It employs the Heaven’s Gate evasion technique, allowing a 32-bit process to run in a 64-bit process. It also sets environment variables and injects code into cmd.exe using NtCreateSection + NtMapViewOfSection Code Injection.
Stage 5 – IDAT Loader: The injected loader code uses Heaven’s Gate evasion, decrypts configuration data, deletes vmtools.dll, and injects the infostealer using Process Doppelganging. The payload injected is identified as Lumma Stealer, and the malware delays execution with NtDelayExecution.
The IDAT Loader is one of the latest and most sophisticated loaders actively used by threat actors to execute InfoStealers and RATs.
It’s packaged into DLLs loaded by legitimate programs like VMWarehost, Python, and Windows Defender in the Fake Update campaign.
IOCs
Keep informed about the latest Cyber Security News by following us on Google News, Linkedin, Twitter, and Facebook.