Tuesday, June 25, 2024

Beware of Fake Browser Updates That Deliver Bitrat & Lumma Stealer

eSentire’s Threat Response Unit (TRU) uncovered a sophisticated malware campaign involving fake browser updates.

This campaign has been responsible for delivering two dangerous malware variants:BitRAT and Lumma Stealer.

The attackers use fake update mechanisms to trick users into downloading malicious files, leading to severe security breaches.

eSentire’s TRU detected an instance of fake updates delivering BitRAT and Lumma Stealer. This method of attack has been increasingly common, with fake browser updates being a popular lure among cybercriminals.

Infection Chain

The infection chain begins when a user visits an infected webpage containing injected malicious JavaScript code.

This code redirects the user to a phony update page.

Injected malicious JavaScript code

Injected malicious JavaScript code

All-in-One Cybersecurity Platform for MSPs to provide full breach protection with a single tool, Watch a Full Demo

The malicious JavaScript code is hidden within the webpage and only activates if the HTTP referrer matches the original malicious web page.

Redirect the site hidden within the JavaScript
Redirect the site hidden within the JavaScript

The fake update page, hosted on the chatgpt-app[.]cloud site, contains a download link to a ZIP archive called ‘Update.zip’.

This archive is automatically downloaded onto the victim’s device and is hosted on Discord’s Content Distribution Network (CDN).

Download of Update.zip from Discord’s CDN
Download of Update.zip from Discord’s CDN

The Payload Delivery

The ZIP archive contains a JavaScript file (Update.js) that acts as an initial downloader to retrieve the payloads once executed by the victim.

Several PowerShell scripts within the archive are responsible for downloading and executing the next stage loader and payloads from a known BitRAT Command-and-Control (C2) address.

PowerShell script retrieving payload file
PowerShell script retrieving payload file

The attack involves multiple files, each serving different purposes:

  • s.png – Loader + Lumma Stealer payload
  • z.png – PowerShell script that creates runkey for persistence + downloads Loader + BitRAT payload
  • a.png – Loader + BitRAT payload
  • 0x.png – BitRAT persistence file that redownloads a.png and executes it

The PowerShell script bypasses AMSI, renames the payload 0x.png to 0x.log, hides it in the C:\Users\Public directory, and sets it to run at startup by modifying the Registry Run Key.

z.png retrieving 0x.png and a.png
z.png retrieving 0x.png and a.png

The 0x.log (0x.png) payload contains an additional PowerShell script which acts as a persistence mechanism for the BitRAT payload file, a.png.

The 0x.log file downloads a.png and executes it.

The Loader

The loader mechanism in the payload files a.png and s.png is almost identical, with the only difference being the hash itself.

The loader is a .NET portable executable (PE) file, obfuscated using Crypto Obfuscator (5.x).

It loads the decrypted payload binary from the files PowerShell script and injects it into RegSvcs.exe.

Simplified version of a.png showing the AMSI bypass and loading
A simplified version of a.png showing the AMSI bypass and loading

BitRAT Capabilities

BitRAT is a feature-rich remote access tool with capabilities such as:

  • Two modes of connections (direct reverse connection and Tor connection)
  • UAC exploit for elevated privileges
  • Process protection
  • Ability to manage over 10,000 clients efficiently
  • Remote browser feature supporting Chrome
  • Password recovery for various applications
  • XMR miner for cryptocurrency mining
  • Reverse proxy using SOCKS4 mode
  • Remote desktop access
  • Webcam live feed
  • File manager with zip compression
  • Keylogger functions
  • Audio live feed
  • SOCKS5 proxy support

The BitRAT sample analyzed was UPX-packed and contained an encrypted configuration.

The decryption routine involves several steps, ultimately using the first 16 characters from an MD5 hash as the key for the Camellia decryption routine.

Lumma Stealer

Lumma Stealer, also known as LummaC2 Stealer, is an information-stealing malware developed in C language.

It targets cryptocurrency wallets, 2FA browser extensions, and other sensitive data on victims’ machines.

The stolen data is sent to a C2 server via HTTP POST requests with the user agent beginning with “Mozilla/5.0”.

 Notable strings in Lumma Stealer Payload
 Notable strings in Lumma Stealer Payload

The use of fake updates to deliver a variety of malware displays the operator’s ability to leverage trusted names to maximize reach and impact.

The .NET loader being the same in both payload files shows the likelihood of the fake update loader being a malware delivery service.

The malware payload is likely interchangeable, and various types will be loaded in similar incidents in the future.

Get special offers from ANY.RUN Sandbox. Until May 31, get 6 months of free service or extra licenses. Sign up for free.


Latest articles

WikiLeaks Founder Julian Assange Released in Stunning Deal with U.S.

WikiLeaks founder Julian Assange has been released from prison after reaching a deal with...

Four Members of FIN9 Hackers Charged for Attacking U.S. Companies

Four Vietnamese nationals have been charged for their involvement in a series of computer...

BREAKING: NHS England’s Synnovis Hit by Massive Cyber Attack

In a shocking development, the NHS has revealed that it was the victim of...

Threat Actor Claiming a 0-day in Linux LPE Via GRUB bootloader

A new threat actor has emerged, claiming a zero-day vulnerability in the Linux GRUB...

LockBit Ransomware Group Claims Hack of US Federal Reserve

The notorious LockBit ransomware group has claimed responsibility for hacking the U.S. Federal Reserve,...

Microsoft Power BI Vulnerability Let Attackers Access Organizations Sensitive Data

A vulnerability in Microsoft Power BI allows unauthorized users to access sensitive data underlying...

Consulting Companies to Pay $11 Million Failing Cybersecurity Requirements

Two consulting companies, Guidehouse Inc. and Nan McKay and Associates, have agreed to pay...
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles