A new malware distribution campaign that involves compromising websites and displaying fake Google Chrome automatic update errors has been discovered by NTT’s security analyst Rintaro Koike.
According to Koike, the campaign began in November 2022 but only expanded its targeting scope to include Japanese, Korean, and Spanish-speaking users after February 2023. Websites hacked in the campaign include online stores, adult sites, news sites, and blogs.
The malware campaign targets users by compromising websites to inject malicious JavaScript code that executes scripts when a user visits them. These scripts will download additional scripts based on whether the visitor is the targeted audience. The scripts will display a fake Google Chrome error screen to users stating that an automatic update is required to continue browsing the site. The scripts will then automatically download a ZIP file called ‘release.zip’ that is disguised as a Chrome update the user should install.
However, the ZIP file contains a Monero miner that utilizes the device’s CPU resources to mine cryptocurrency for the threat actors.
Upon launch, the malware copies itself to C:\Program Files\Google\Chrome as “updater.exe” and then launches a legitimate executable to perform process injection and run straight from memory.
The malware uses the “BYOVD” (bring your own vulnerable driver) technique to exploit a vulnerability in the legitimate WinRing0x64.sys to gain SYSTEM privileges on the device. The miner persists by adding scheduled tasks and performing Registry modifications while excluding itself from Windows Defender.
It stops Windows Update and disrupts the communication of security products with their servers by modifying the IP addresses of the latter in the HOSTS file, which hinders updates and threat detection and may even disable an AV altogether.
The malware campaign is a warning to users not to install security updates from third-party sites and only install them from the software’s developers or via automatic updates built into the program.
While some of the websites that have been defaced are Japanese, NTT warns that the recent inclusion of additional languages may indicate that the threat actors plan to expand their targeting scope, so the campaign’s impact may become greater soon. As always, users should remain cautious and ensure that they have adequate security software installed on their devices.
