Fake Chrome Update Delivers DriverEasy Malware by Abusing Dropbox

A recent investigation has uncovered a malicious application, DriverEasy, masquerading as a legitimate Google Chrome update to steal user credentials.

The malware leverages Dropbox’s API to exfiltrate sensitive information, including passwords, and is linked to North Korea’s cyber-espionage campaign known as “Contagious Interview.”

Password Theft via Fake Prompts

DriverEasy, written in Swift and Objective-C, deploys deceptive tactics to trick users into revealing their credentials.

Upon execution, the malware displays a fake error prompt followed by an authentication request, imitating a legitimate Google Chrome alert.

Users are prompted to enter their system password into a secure text field. The entered credentials are then captured and processed internally.

The stolen password is transmitted to Dropbox using its API.

The malware initializes communication with Dropbox by utilizing pre-configured OAuth 2.0 credentials, including a refresh token, client ID, and client secret.

These parameters enable the malware to authenticate with Dropbox and upload the stolen data as a file named “password.txt.”

The malware’s workflow begins with querying the victim’s public IP address using the https://api.ipify.org service.

This step is likely used for tracking or profiling purposes. Once the password is captured, it is integrated into an array alongside other predefined strings.

These values are prepared for transmission to Dropbox through an HTTP request.

The Dropbox API interaction involves creating a URL request for file uploads.

The stolen password is included in the request body, while the OAuth token ensures successful authentication.

After uploading the data, the malware verifies the operation by checking HTTP status codes.

Links to Other Malicious Applications

DriverEasy shares significant similarities with two other malware variants attributed to North Korea: ChromeUpdate and CameraAccess.

All three applications use identical Dropbox API credentials for exfiltration, indicating a common origin or shared development resources.

These applications employ similar techniques to deceive users and steal sensitive information under the guise of legitimate software.

The discovery of DriverEasy highlights the increasing sophistication of cyber threats leveraging trusted platforms like Dropbox for malicious purposes.

Users are advised to exercise caution when prompted for credentials by unexpected applications or updates.

Organizations should implement robust endpoint detection mechanisms and monitor for unauthorized API usage.

This incident underscores the importance of understanding how attackers exploit legitimate tools for malicious activities.

By analyzing such threats in detail, security researchers can better equip defenders to detect and mitigate similar attacks in the future.

Free Webinar: Better SOC with Interactive Malware Sandbox for Incident Response, and Threat Hunting - Register Here