Tuesday, November 12, 2024
HomeCyber Security NewsBeware of Fake Browser Updates that Install Malware on Systems

Beware of Fake Browser Updates that Install Malware on Systems

Published on

Malware protection

In recent times, it’s been observed that fake malware-loaded browser updates are gaining rapid growth in the threat landscape.

Rapid7 researchers recently identified a Fake Browser Update lure that tricks users into running malicious binaries, using a new loader to deploy the following info stealers on compromised systems:-

  • StealC
  • Lumma 
  • Amadey

Rapid7 discovered the IDAT loader in July 2023, initially disguised as a 7-zip installer for SecTop RAT. It’s now distributing the above-mentioned info stealers using the following evasion methods:-

- Advertisement - SIEM as a Service
  • Process Doppelganging
  • DLL Search Order Hijacking
  • Heaven’s Gate

However, besides this, the name of the IDAT loader comes from reserving the payload in the IDAT piece of PNG files. Before this technique, threat actors used malicious JavaScript files to connect to C2 servers or deploy the Net Support RAT.

Attack Flow

Threat actors strive to evade detection and prevent security research in their attack strategies. To do so, they always stage their in different stages or segments to make it more complex.

Fake Browser Updates
Attack flow (Source – Rapid7)

Attack Stages

Here below, we have mentioned all the attack stages:-

Stage 1 – ClearFake: ClearFake is a recently discovered malware linked to an IDAT loader distribution starting on July 19, 2023. It’s less sophisticated than SocGolish, using base64 for obfuscation. 

Notably, it doesn’t track visits by IP or cookies, allowing repeated access from the same IP without clearing the cache.

The prompt masquerades as a genuine browser update and redirects the user to download a binary named ChromeSetup.exe, previously used in SocGholish attacks and now by Clearfake.

Fake Browser Updates
Prompting the User to Update their Browser (Source – Rapid7)

Stage 2 – MSI Downloader: ChromeSetup.exe downloads an MSI package that writes legitimate files, a malicious DLL, and an encrypted log file decrypted by the malicious DLL. Another attack version drops legitimate files and uses a different encrypted log file.

Fake Browser Updates
vmo.log content (Source – Rapid7)

Stage 3 – Decryptor: The legitimate VMWareHostOpen.exe employs DLL Search Order Hijacking to load the malicious vmtools.dll from the same directory. This DLL uses XOR encryption, extracts data from vmo.log, and decompresses it using LZNT1. It then loads mshtml.dll and executes the decompressed code.

Stage 4 – IDAT Injector: IDAT loader uses dynamic imports and expands environment variables to create folders for copied files. It employs the Heaven’s Gate evasion technique, allowing a 32-bit process to run in a 64-bit process. It also sets environment variables and injects code into cmd.exe using NtCreateSection + NtMapViewOfSection Code Injection.

Stage 5 – IDAT Loader: The injected loader code uses Heaven’s Gate evasion, decrypts configuration data, deletes vmtools.dll, and injects the infostealer using Process Doppelganging. The payload injected is identified as Lumma Stealer, and the malware delays execution with NtDelayExecution.

The IDAT Loader is one of the latest and most sophisticated loaders actively used by threat actors to execute InfoStealers and RATs. 

It’s packaged into DLLs loaded by legitimate programs like VMWarehost, Python, and Windows Defender in the Fake Update campaign.

IOCs

Fake Browser Updates
IOCs (Source – Rapid7)

Keep informed about the latest Cyber Security News by following us on Google NewsLinkedinTwitter, and Facebook.

Tushar Subhra
Tushar Subhra
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

VMware Workstation & Fusion Now Available for Free to All Users

VMware has announced that its popular desktop hypervisor products, VMware Workstation and VMware Fusion,...

Dell Enterprise SONiC Flaw Let Attackers Hijack the System

Dell Technologies has disclosed multiple critical security vulnerabilities in its Enterprise SONiC OS, which...

Amazon Confirms Employee Data Breach Via Third-party Vendor

Amazon has confirmed that sensitive employee data was exposed due to a breach at...

10 Best DNS Management Tools – 2025

Best DNS Management Tools play a crucial role in efficiently managing domain names and...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

VMware Workstation & Fusion Now Available for Free to All Users

VMware has announced that its popular desktop hypervisor products, VMware Workstation and VMware Fusion,...

Dell Enterprise SONiC Flaw Let Attackers Hijack the System

Dell Technologies has disclosed multiple critical security vulnerabilities in its Enterprise SONiC OS, which...

Amazon Confirms Employee Data Breach Via Third-party Vendor

Amazon has confirmed that sensitive employee data was exposed due to a breach at...