Fraud Management & Cybercrime , Social Engineering
Fake Browser Updates Used to Deploy Malware
Notifications on Compromised Websites Impersonate Chrome, Firefox and Edge BrowsersCybercriminals are disguising malware as phony browser updates on compromised websites. Fraudulent updates for Chrome, Firefox and Edge browsers are luring unsuspecting users into downloading malware that can steal data, take over devices or deploy ransomware.
See Also: 5 Real-Life Examples of Cyberattacks and How to Stop Them
Proofpoint researchers observed four different threat clusters - including SocGholish, RogueRaticate, SmartApeSG and ClearFake - using separate campaigns with similar characteristics to deliver fake browser update lures.
"The use of fake browser updates is an interesting threat that pairs unique technical capabilities with social engineering to convince people their browser is out of date," the researchers said. "The fake browser update lure has been seen leading to a variety of malware that can steal data, remotely control a computer, or even lead to ransomware."
Researchers found three distinct stages of malware deployment:
- Stage 1: Malicious injection on a legitimate, but compromised, website;
- Stage 2: Hosting of the lure and malicious payload;
- Stage 3: The execution of the payload on a host after download.
The fake browser updates are controlled by threat actors who use JavaScript or HTML-injected code that directs traffic to a malicious domain, which can overwrite the webpage with a browser update lure specific to the victim's web browser.
Users are then prompted to download a "browser update" that delivers the final payload.
Researchers found that threat actor TA569, who is also the distributor, used fake browser updates for over five years to deliver SocGholish malware.
Attackers previously used SocGholish to target dozens of newspaper websites operated by a U.S. media company (see: WastedLocker Ransomware Targets US Newspaper Company).
Latest Campaigns
The latest campaign demonstrates that other threat actors have adopted this method, using their own approaches to deliver the lure and payload and taking advantage of the same social engineering tactics.
Attackers used an injection that uses the Keitaro traffic distribution system via a variety of actor-controlled domains that filter requests out before routing to the Stage 2 domains.
In the second method, TA569 uses Parrot TDS to obfuscate its injected code and apply similar filtering before routing requests to the Stage 2 domains. The compromised websites have around 10 malicious JavaScript files that contain Parrot TDS injections leading to the deployment of the SocGholish payloads.
The third and final method used by TA569 is a simple JavaScript asynchronous script request in the compromised website HTML that reaches out to a Stage 2 domain.
"The variety of injections makes it difficult for defenders to both identify the location of the malicious injection and reproduce the traffic, due to the various stages of filtering," the researchers said.
Proofpoint researchers said that SocGholish infections also deploy AsyncRAT and NetSupport RAT as remote access Trojan payloads.