Fake Chrome Update (Trojan) – Malware

Overview

The deceptive tactics employed by cybercriminals continue to evolve, with a recent wave of attacks spotlighting a particularly insidious form of malware disguised as a Google Chrome update. This latest threat involves fake browser update campaigns designed to trick unsuspecting users into downloading malicious software. By infiltrating legitimate websites and injecting fraudulent code, these campaigns present users with misleading pop-ups that prompt them to “update” their browser. The deception is both sophisticated and alarming, as the fake updates often lead to the installation of dangerous malware, including remote access trojans and infostealers.

The modus operandi of this malware involves a multi-step process that begins with the compromise of targeted websites. Once a site is infected, visitors encounter a pop-up message that falsely claims their browser needs updating. The message, often written in broken English and displayed with a prominent “Update” button, is designed to appear urgent and convincing. This tactic exploits the user’s trust and prompts them to click on a link that initiates a download of the malicious payload. Despite its superficial resemblance to a legitimate update, this tactic is a deliberate ploy to bypass user vigilance and install harmful software.

One notable aspect of this malware campaign is its use of fake update prompts to distribute a variety of malicious files. Recent attacks have utilized URLs that lead to downloads of malware under the guise of a browser update, with files often named to mimic legitimate software. These fake updates are delivered via compromised domains and have been found on hundreds of websites, highlighting the extensive reach and impact of the campaign. The growing prevalence of this threat underscores the need for enhanced vigilance and security measures to protect users from such deceptive practices.

Targets

Individuals
Information

How they operate

Infection and Delivery

The initial phase of this malware’s operation begins with the injection of malicious code into vulnerable websites. Attackers exploit security weaknesses to insert their code, which then triggers a fake browser update pop-up for visitors. The pop-up, often poorly written and branded as an urgent update notification, includes a misleading message like “Warning Exploit Chrome Detect. Update Chrome Browser,” along with a prominent “Update” button. This deceptive message is displayed even to users who are not utilizing Google Chrome, showcasing its deceptive nature.

Upon clicking the fake update button, users are redirected to malicious URLs that initiate the download of malware. These URLs are designed to appear legitimate but lead to files named similarly to Google Chrome installers, such as GoogleChrome-x86.msix. The domains hosting these downloads are often newly created and quickly taken down, making detection and blocking challenging. For example, domains like photoshop-adobe.shop and brow-ser-update.top have been used to host these malicious files.

Malware Execution and Persistence

Once the malicious file is downloaded and executed, it begins its primary functions. The file typically installs malware that can include components like remote access trojans (RATs) or infostealers. These components enable attackers to gain unauthorized access to the victim’s system, exfiltrate sensitive data, or carry out further malicious activities. The malware may use techniques to blend in with legitimate processes, making it harder for users and security software to detect.

The malware’s persistence is maintained through a combination of techniques. For instance, it may install itself to run automatically on system startup or integrate with legitimate applications and processes to avoid detection. Additionally, the malicious code injected into websites often remains active until the compromised site is cleaned or patched, continuously deceiving new visitors.

Technical Details and Countermeasures

A key component of the malware’s delivery method is the exploitation of legitimate WordPress plugins, such as the Hustle plugin. Attackers use this plugin to create and display the fake update pop-up on compromised sites. The injected code is typically stored in JSON files within the wp-content/uploads directory or in the WordPress database itself. This use of legitimate plugins for malicious purposes highlights a broader trend where attackers exploit widely-used software to bypass traditional security measures.

MITRE Tactics and Techniques

Initial Access (T1071.001 – Application Layer Protocol)

Phishing: The fake update prompts are delivered through compromised websites. This tactic involves deceiving users into clicking on malicious links under the guise of a necessary browser update.

Execution (T1203 – Exploitation for Client Execution)

Malicious File Execution: When users click on the fake update prompt, they are directed to download and execute a malicious file disguised as a browser update. This file typically contains malware that can execute and compromise the user’s system.

Persistence (T1547 – Boot or Logon Autostart Execution)

Malicious Code Injection: The injected code is embedded within compromised websites, making it persistently active as long as the site remains compromised.

Command and Control (T1071.001 – Application Layer Protocol)

C2 Communication: The malware often establishes communication with command and control servers to receive instructions or exfiltrate data, using techniques like HTTP/S to blend in with normal web traffic.

Exfiltration (T1041 – Exfiltration Over Command and Control Channel)

Data Collection: If the malware includes capabilities like data theft or keylogging, it will collect and exfiltrate sensitive information from the infected system to the attacker’s server.

References

• Hundreds of Websites Targeted by Fake Google Chrome Update Pop-Ups