Saturday, November 23, 2024
HomeCyber AttackBeware of Fake Chrome Browser Updates that Install Malware

Beware of Fake Chrome Browser Updates that Install Malware

Published on

Reports indicate that there seems to be an ongoing campaign that lures victims into installing a Remote Administration Tool called NetSupport Manager with fake Chrome browser updates. 

Threat actors use this remote administration software as an info stealer and to take control of the victim’s computers. Investigations point this to a suspected SocGholish campaign which was previously conducted by a Russian threat actor but still remains inconclusive.

Fake Chromium updates campaign (Source: Trellix)

However, the SVP of Trellix Advanced Research Center stated that “Chromium with 63.55% of market share is now the de facto most targeted browser for NetSupport RAT attacks, due to the global usage. Organizations need holistic global threat intelligence and innovative security solutions to get the governance and tools needed to reduce the cyber risk.”

- Advertisement - SIEM as a Service

Fake Chrome Browser Update

These fake chromium updates are spread through compromised websites which are injected with a simple HTML script tag that loads malicious JavaScript content from the C2 servers of threat actors. However, this process seems to be automated and follows a directory structure.

Further analysis showed many compromised websites with traffic from the Federal Government, Financial institutions, and consulting services. These compromised websites can be detected by checking the “/cdn-js/wds.min.php”.

Previously, threat actors used PowerShell with WMI functionality for downloading and installing the RAT. However, the current campaign uses batch files (.bat), VBscripts, and curl tools instead of PowerShell scripts for the RAT download.

When a user clicks on the fake browser update link, it downloads a ZIP archive, “UpdateInstall.zip” which consists of a malicious JS file named “Browser_portable.js” that acts as a next-stage malware downloader.

The second stage JS file is named “Chrome_update.js” which is retrieved from the C2 server of the threat actors and executed. This downloads a batch file “1.bat” in the local “C://ProgramData” folder and runs it.

In addition to this, the 1.bat drops VBScript and batch files, which are investigated to be a dummy one as they were not executed. Further components and the final batch script 2.bat is downloaded using curl commands. 

These components consist of the 7-zip archive file, which is the NetSupport Manager RAT software package and is executed by the 2.bat file.

A complete report has been published by Trellix, which provides detailed information on this campaign and the malware source code.

Indicators of Compromise

hxxps://altiordp[.]com/cdn/www.php
hxxps://cheetahsnv[.]com/cdn-js/wds.min.php
hxxps://ponraj[.]com/05e2f56dd5d8c33a6c402a19629be61c__9336ebf25087d91c818ee6e9ec29f8c1/1.bat?964084
hxxps://ponraj[.]com/05e2f56dd5d8c33a6c402a19629be61c__9336ebf25087d91c818ee6e9ec29f8c1/tempy.7z
hxxps://ponraj[.]com/05e2f56dd5d8c33a6c402a19629be61c__9336ebf25087d91c818ee6e9ec29f8c1/7zz.exe
hxxps://ponraj[.]com/05e2f56dd5d8c33a6c402a19629be61c__9336ebf25087d91c818ee6e9ec29f8c1/2.bat

Files

e67f8b91555993e6315ffa9b146c759b9eeac5208116667fa4b31c717ebe5398 *1.bat 675ede331d690fff93579f9767aa7f80cfbc9d4b99afe298ba3b456ee292ac71 *2.bat c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf *7zz.exe 00cf43f66d27692f25da1771dca7bf8c3c0e5aa78b35090013b013c17ceb0fff *Chrome_update.js b9711d8d6d1fd59ea9276a70e0b37c28ae26a105c325448e5d62f7858d61b8c2 *UpdateInstaller.zip 7f976e221ece8acac5f6ea32d2ad427a9bcb237e6a6f754043265073cc004ce1 *Browser_portable.js 42679bd369a3b772c43b9ba20bf8a31a2593a360cfa2de77aa6d2023f9a0c109 *tempy.7z
Client32 config
[HTTP]
CMPI=60
GatewayAddress=5.252.178.48:443
GSK=GA;L@KDPHB Port=443
SecondaryGateway=
SecondaryPort=

Keep informed about the latest Cyber Security News by following us on GoogleNews, Linkedin, Twitter, and Facebook.

Eswar
Eswar
Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

Nearest Neighbor Attacks: Russian APT Hack The Target By Exploiting Nearby Wi-Fi Networks

Recent research has revealed that a Russian advanced persistent threat (APT) group, tracked as...

240+ Domains Used By PhaaS Platform ONNX Seized by Microsoft

Microsoft's Digital Crimes Unit (DCU) has disrupted a significant phishing-as-a-service (PhaaS) operation run by...

Russian TAG-110 Hacked 60+ Users With HTML Loaded & Python Backdoor

The Russian threat group TAG-110, linked to BlueDelta (APT28), is actively targeting organizations in...

Earth Kasha Upgraded Their Arsenal With New Tactics To Attack Organizations

Earth Kasha, a threat actor linked to APT10, has expanded its targeting scope to...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Nearest Neighbor Attacks: Russian APT Hack The Target By Exploiting Nearby Wi-Fi Networks

Recent research has revealed that a Russian advanced persistent threat (APT) group, tracked as...

240+ Domains Used By PhaaS Platform ONNX Seized by Microsoft

Microsoft's Digital Crimes Unit (DCU) has disrupted a significant phishing-as-a-service (PhaaS) operation run by...

Russian TAG-110 Hacked 60+ Users With HTML Loaded & Python Backdoor

The Russian threat group TAG-110, linked to BlueDelta (APT28), is actively targeting organizations in...