A recent investigation by eSentire’s Threat Response Unit (TRU) has revealed a sophisticated malware campaign employing fake browser updates to distribute dangerous malware variants, namely BitRAT and Lumma Stealer. This campaign capitalizes on users’ trust in software updates to deceive them into downloading malicious files, resulting in severe security breaches. The TRU identified instances of fake updates delivering these malware payloads, indicating an escalating trend in cybercriminal tactics.
The infection chain begins with users visiting infected webpages containing malicious JavaScript code, redirecting them to fake update pages. These pages host download links to ZIP archives like ‘Update.zip,’ which are automatically downloaded onto victims’ devices from platforms like Discord’s Content Distribution Network (CDN). Once executed, these archives initiate the download and execution of JavaScript files responsible for fetching subsequent payloads.
These payloads, embedded within the ZIP archives, include PowerShell scripts tasked with downloading and executing the next-stage loaders and malware payloads from known BitRAT Command-and-Control (C2) servers. The attack involves multiple files, each serving distinct functions, such as establishing persistence, retrieving payloads, and executing malicious code. Notably, the malware payloads exhibit advanced obfuscation techniques to evade detection, including the use of PowerShell to bypass AMSI and hide files in system directories.
The primary malware components, BitRAT and Lumma Stealer, boast a wide range of capabilities, including remote access, password recovery, cryptocurrency mining, and data exfiltration. These malware variants are delivered via the fake update mechanism, demonstrating the threat actor’s adeptness at exploiting trusted software channels for malicious purposes. The interchangeable nature of the payloads suggests a scalable and adaptable strategy likely to persist in future cyberattacks.
