Threat Actors Exploit Chrome to Deliver Malware as Windows 10 App

 

Hackers that launched a recently discovered malware campaign are attacking Windows 10 with a malware which could infect systems with a process which evades Windows cybersecurity protections known as User Account Control (UAC). "Researchers couldn’t retrieve the payload files from the sample that they analyzed because they were no longer present when they investigated. However, they used samples from VirusTotal to peer under the hood," reports ThreatPost. Rapid7 cybersecurity experts discovered the campaign and warned the goal of hackers is to extract out personal data and steal cryptocurrency from infected victim PC.

According to experts, malware is very persistent on PC, exploiting the Windows environment variable and a local scheduled task to make sure it constantly executes with extra privileges. The attack chain initiates when a Chrome browser user opens a malicious site, followed by opening of a "browser ad service" which requests the user to take some action. However, it isn't confirmed what the experts mean by 'browser ad service.' The end goal of the hacker is to steal data using info-stealer malware, stolen data includes browser credentials and cryptocurrency. 

Besides this, other suspicious activities include stopping browser update and creating a system situation suitable for arbitrary commands execution. Hackers have been using a compromised site particularly built for to abuse a Chrome browser version (that runs on windows 10) to provide malicious payloads. The investigations of user chrome browser also showed redirects to various malicious domains and other suspicious redirect chains prior to the first stage infection. 

"Upon further analysis, researchers found that birchlerarroyo[.]com presented a browser notification requesting permission to show notifications to the user. This as well as a reference to a suspicious JavaScript file in its source code led theRapid7 team to suspect that it had been compromised, Iwamaye said.It’s unclear from the research, why or how a user would be coaxed into permitting the site to send notification requests via the Chrome browser. However, once notifications were permitted the browser user was alerted that their Chrome web browser needed to be updated," reports ThreatPost.