Thursday, May 8, 2025
HomeChromeHackers Using Fake Google Chrome Error Screens To Inject Malware

Hackers Using Fake Google Chrome Error Screens To Inject Malware

Published on

SIEM as a Service

Follow Us on Google News

Researchers detect a new malware campaign that uses a web page with fake Google Chrome error screens, and the campaign actively distributing malware since Feb 2023.

With the help of social engineering techniques, threat actors trick victims into executing the malware on the system. In this case, several Japanese websites are compromised to distribute the malware.

The Malware eventually drops a Monero miner with the function of the following:

- Advertisement - Google News
  • Copy itself to C:\Program Files\Google\Chrome under the name updater.exe
  • Launch legitimate conhost.exe and process injection
  • Persisted using task scheduler and registry
  • Windows Defender exclusion settings
  • Stop services related to Windows Update
  • Interfering with communication of security products by rewriting the Hosts file.

Malware Infection Process:

Attackers compromised and defaced several legitimate websites, and the malicious code was injected with the help of the following parameters.

The link has a mtizndu2 parameter and is supposed to be a lowercase MTIzNDU2 base 64 encoded version of 123456.

In this case, Script tags load and execute JavaScript code of the following and the attackers use some obstruction technique to analyze the code.

The following code has using for this attack:

According to the NTT Data report, “In addition to access control using cookies, the loaded JavaScript code contains a function to narrow down the target and a process to redirect to a URL that displays a fake error screen.”

Attackers also used a Cookie key (c122eba0264bfd7e383f015cecf59fbd) for access control, and the MD5 value is “yagamilight” for the same.

In the Results, victims will see a fake Error screen of the following; JavaScript code downloads a ZIP file.

The Zip file is named as ” chromium-patch-nightly” and pretends to be a patch update for Chrome.

The language of the fake error screen displayed varies depending on the website to be defaced. In addition to Japanese, SOC has confirmed Spanish and Korean and supports multiple languages. Researchers said.

Researchers believe that some of the websites that have been defaced include Japanese websites, and the impact is widespread and serious. It may continue in the future, so be careful.

IoCs

  • 38[.]147.165.60
  • 103[.]150.180.49
  • 156[.]251.189.56
  • 38[.]147.165.50
  • 162[.]19.139.184
  • yhdmb[.]xyz
  • fastjscdn[.]org
  • chromelistcdn[.]cloud
  • chrome-error[.]co
  • xmr.2miners[.]com

Building Your Malware Defense Strategy – Download Free E-Book

Also Read:

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Critical Vulnerability in Ubiquiti UniFi Protect Camera Allows Remote Code Execution by Attackers

Critical security vulnerabilities in Ubiquiti’s UniFi Protect surveillance ecosystem-one rated the maximum severity score...

IXON VPN Client Vulnerability Allows Privilege Escalation for Attackers

A critical security vulnerability in IXON’s widely used VPN client has exposed Windows, Linux,...

Cisco IOS Software SISF Vulnerability Could Enable Attackers to Launch DoS Attacks

Cisco has released security updates addressing a critical vulnerability in the Switch Integrated Security...

Seamless AI Communication: Microsoft Azure Adopts Google’s A2A Protocol

Microsoft has announced its support for the Agent2Agent (A2A) protocol, an open standard developed...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Critical Vulnerability in Ubiquiti UniFi Protect Camera Allows Remote Code Execution by Attackers

Critical security vulnerabilities in Ubiquiti’s UniFi Protect surveillance ecosystem-one rated the maximum severity score...

IXON VPN Client Vulnerability Allows Privilege Escalation for Attackers

A critical security vulnerability in IXON’s widely used VPN client has exposed Windows, Linux,...

Cisco IOS Software SISF Vulnerability Could Enable Attackers to Launch DoS Attacks

Cisco has released security updates addressing a critical vulnerability in the Switch Integrated Security...