eSentire’s Threat Response Unit (TRU) uncovered a sophisticated malware campaign involving fake browser updates.
This campaign has been responsible for delivering two dangerous malware variants:BitRAT and Lumma Stealer.
The attackers use fake update mechanisms to trick users into downloading malicious files, leading to severe security breaches.
eSentire’s TRU detected an instance of fake updates delivering BitRAT and Lumma Stealer. This method of attack has been increasingly common, with fake browser updates being a popular lure among cybercriminals.
Infection Chain
The infection chain begins when a user visits an infected webpage containing injected malicious JavaScript code.
This code redirects the user to a phony update page.
All-in-One Cybersecurity Platform for MSPs to provide full breach protection with a single tool, Watch a Full Demo
The malicious JavaScript code is hidden within the webpage and only activates if the HTTP referrer matches the original malicious web page.
The fake update page, hosted on the chatgpt-app[.]cloud site, contains a download link to a ZIP archive called ‘Update.zip’.
This archive is automatically downloaded onto the victim’s device and is hosted on Discord’s Content Distribution Network (CDN).
The Payload Delivery
The ZIP archive contains a JavaScript file (Update.js) that acts as an initial downloader to retrieve the payloads once executed by the victim.
Several PowerShell scripts within the archive are responsible for downloading and executing the next stage loader and payloads from a known BitRAT Command-and-Control (C2) address.
The attack involves multiple files, each serving different purposes:
- s.png – Loader + Lumma Stealer payload
- z.png – PowerShell script that creates runkey for persistence + downloads Loader + BitRAT payload
- a.png – Loader + BitRAT payload
- 0x.png – BitRAT persistence file that redownloads a.png and executes it
The PowerShell script bypasses AMSI, renames the payload 0x.png to 0x.log, hides it in the C:\Users\Public directory, and sets it to run at startup by modifying the Registry Run Key.
The 0x.log (0x.png) payload contains an additional PowerShell script which acts as a persistence mechanism for the BitRAT payload file, a.png.
The 0x.log file downloads a.png and executes it.
The Loader
The loader mechanism in the payload files a.png and s.png is almost identical, with the only difference being the hash itself.
The loader is a .NET portable executable (PE) file, obfuscated using Crypto Obfuscator (5.x).
It loads the decrypted payload binary from the files PowerShell script and injects it into RegSvcs.exe.
BitRAT Capabilities
BitRAT is a feature-rich remote access tool with capabilities such as:
- Two modes of connections (direct reverse connection and Tor connection)
- UAC exploit for elevated privileges
- Process protection
- Ability to manage over 10,000 clients efficiently
- Remote browser feature supporting Chrome
- Password recovery for various applications
- XMR miner for cryptocurrency mining
- Reverse proxy using SOCKS4 mode
- Remote desktop access
- Webcam live feed
- File manager with zip compression
- Keylogger functions
- Audio live feed
- SOCKS5 proxy support
The BitRAT sample analyzed was UPX-packed and contained an encrypted configuration.
The decryption routine involves several steps, ultimately using the first 16 characters from an MD5 hash as the key for the Camellia decryption routine.
Lumma Stealer
Lumma Stealer, also known as LummaC2 Stealer, is an information-stealing malware developed in C language.
It targets cryptocurrency wallets, 2FA browser extensions, and other sensitive data on victims’ machines.
The stolen data is sent to a C2 server via HTTP POST requests with the user agent beginning with “Mozilla/5.0”.
The use of fake updates to deliver a variety of malware displays the operator’s ability to leverage trusted names to maximize reach and impact.
The .NET loader being the same in both payload files shows the likelihood of the fake update loader being a malware delivery service.
The malware payload is likely interchangeable, and various types will be loaded in similar incidents in the future.
Get special offers from ANY.RUN Sandbox. Until May 31, get 6 months of free service or extra licenses. Sign up for free.