HQ/EMEAFind out how we can help your business
Threat actors have leveraged a new attack strategy using fake Chrome updates to spread their malware. The hackers inject scripts that display fake Google Chrome automatic errors that distribute malicious malware to unknowing users.
Researchers discovered numerous hacked websites in this malware distribution operation, including explicit websites, news sites, online stores, and blogs.
The fake Chrome updates campaign is initiated by infecting websites with malicious code.
According to investigations, the hackers that use the fake Chrome updates run their attacks by compromising websites to attach malicious JavaScript code that initiates after a user accesses them.
The scripts will download additional prompts if the visitor is one of the targeted audiences of the campaign.
The operation delivers these malicious scripts through the Pinata IPFS service. This service obfuscates the origin server that hosts the file. Hence, the technique could render the blocklisting feature ineffective and resist takedowns.
Subsequently, the script will portray the fake Google Chrome error screen if a targeted visitor browses the website. The display will show an automatic update that requires the user to continue browsing the site even if it fails to install.
The scripts will then download a ZIP archive that disguises itself as a Chrome update which the user should install. Unfortunately, the script includes a Monero miner using the user’s CPU resources to mine crypto.
The malware duplicates itself to the “C:\Program Files\Google\Chrome” named updater[.]exe and launches a legitimate executable to run process injection and operate from memory.
A separate researcher explained that the malware leverages the BYOVD method to abuse a flaw in the legitimate WinRing0x64[.]sys to acquire privileges on the infected device. The miner could then persist by adding scheduled tasks and running Registry modifications while exempting itself from Windows Defender.
Furthermore, the campaign obstructs Windows Update and prevents the communication of security solutions with the servers by customising the IP addresses of the HOSTS archive. This operation also stops updates and threat directions and may even deactivate the anti-virus detections within the infected computer.
These steps will result in the connection of the miner to xmr[.]2miners[.]com and starts mining the Monero cryptocurrency.
