Thursday, July 25, 2024
EHA

Beware of Fake Chrome Browser Updates that Install Malware

Reports indicate that there seems to be an ongoing campaign that lures victims into installing a Remote Administration Tool called NetSupport Manager with fake Chrome browser updates. 

Threat actors use this remote administration software as an info stealer and to take control of the victim’s computers. Investigations point this to a suspected SocGholish campaign which was previously conducted by a Russian threat actor but still remains inconclusive.

Fake Chromium updates campaign (Source: Trellix)

However, the SVP of Trellix Advanced Research Center stated that “Chromium with 63.55% of market share is now the de facto most targeted browser for NetSupport RAT attacks, due to the global usage. Organizations need holistic global threat intelligence and innovative security solutions to get the governance and tools needed to reduce the cyber risk.”

Fake Chrome Browser Update

These fake chromium updates are spread through compromised websites which are injected with a simple HTML script tag that loads malicious JavaScript content from the C2 servers of threat actors. However, this process seems to be automated and follows a directory structure.

Further analysis showed many compromised websites with traffic from the Federal Government, Financial institutions, and consulting services. These compromised websites can be detected by checking the “/cdn-js/wds.min.php”.

Previously, threat actors used PowerShell with WMI functionality for downloading and installing the RAT. However, the current campaign uses batch files (.bat), VBscripts, and curl tools instead of PowerShell scripts for the RAT download.

When a user clicks on the fake browser update link, it downloads a ZIP archive, “UpdateInstall.zip” which consists of a malicious JS file named “Browser_portable.js” that acts as a next-stage malware downloader.

The second stage JS file is named “Chrome_update.js” which is retrieved from the C2 server of the threat actors and executed. This downloads a batch file “1.bat” in the local “C://ProgramData” folder and runs it.

In addition to this, the 1.bat drops VBScript and batch files, which are investigated to be a dummy one as they were not executed. Further components and the final batch script 2.bat is downloaded using curl commands. 

These components consist of the 7-zip archive file, which is the NetSupport Manager RAT software package and is executed by the 2.bat file.

A complete report has been published by Trellix, which provides detailed information on this campaign and the malware source code.

Indicators of Compromise

hxxps://altiordp[.]com/cdn/www.php
hxxps://cheetahsnv[.]com/cdn-js/wds.min.php
hxxps://ponraj[.]com/05e2f56dd5d8c33a6c402a19629be61c__9336ebf25087d91c818ee6e9ec29f8c1/1.bat?964084
hxxps://ponraj[.]com/05e2f56dd5d8c33a6c402a19629be61c__9336ebf25087d91c818ee6e9ec29f8c1/tempy.7z
hxxps://ponraj[.]com/05e2f56dd5d8c33a6c402a19629be61c__9336ebf25087d91c818ee6e9ec29f8c1/7zz.exe
hxxps://ponraj[.]com/05e2f56dd5d8c33a6c402a19629be61c__9336ebf25087d91c818ee6e9ec29f8c1/2.bat

Files

e67f8b91555993e6315ffa9b146c759b9eeac5208116667fa4b31c717ebe5398 *1.bat 675ede331d690fff93579f9767aa7f80cfbc9d4b99afe298ba3b456ee292ac71 *2.bat c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf *7zz.exe 00cf43f66d27692f25da1771dca7bf8c3c0e5aa78b35090013b013c17ceb0fff *Chrome_update.js b9711d8d6d1fd59ea9276a70e0b37c28ae26a105c325448e5d62f7858d61b8c2 *UpdateInstaller.zip 7f976e221ece8acac5f6ea32d2ad427a9bcb237e6a6f754043265073cc004ce1 *Browser_portable.js 42679bd369a3b772c43b9ba20bf8a31a2593a360cfa2de77aa6d2023f9a0c109 *tempy.7z
Client32 config
[HTTP]
CMPI=60
GatewayAddress=5.252.178.48:443
GSK=GA;L@KDPHB Port=443
SecondaryGateway=
SecondaryPort=

Keep informed about the latest Cyber Security News by following us on GoogleNews, Linkedin, Twitter, and Facebook.

Website

Latest articles

ShadowRoot Ransomware Attacking Organizations With Weaponized PDF Documents

A rudimentary ransomware targets Turkish businesses through phishing emails with ".ru" domain sender addresses....

BreachForumsV1 Database Leaked: Private messages, Emails & IP Exposed

BreachForumsV1, a notorious online platform for facilitating illegal activities, has reportedly suffered a massive...

250 Million Hamster Kombat Players Targeted Via Android And Windows Malware

Despite having simple gameplay, the new Telegram clicker game Hamster Kombat has become very...

Beware Of Malicious Python Packages That Steal Users Sensitive Data

Malicious Python packages uploaded by "dsfsdfds" to PyPI infiltrated user systems by exfiltrating sensitive...

Chinese Hackers Using Shared Framework To Create Multi-Platform Malware

Shared frameworks are often prone to hackers' abuses as they have been built into...

BlueStacks Emulator For Windows Flaw Exposes Millions Of Gamers To Attack

A significant vulnerability was discovered in BlueStacks, the world's fastest Android emulator and cloud...

Google Chrome 127 Released with a fix for 24 Security Vulnerabilities

Google has unveiled the latest version of its Chrome browser, Chrome 127, which is...
Eswar
Eswar
Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles