Fake web browser updates are being used to spread remote access trojans (RATs) and information stealer malware like BitRAT and Lumma Stealer (aka LummaC2).
"Fake browser updates have been responsible for numerous malware infections, including those of the well-known SocGholish malware,"cybersecurity company eSentire stated in a recent research. "In April 2024, we observed FakeBat being distributed via similar fake update mechanisms.”
The attack chain begins when potential targets visit a fake website with JavaScript code that redirects them to a fraudulent browser update page ("chatgpt-app[.]cloud"). The redirected web page includes a download link to a ZIP archive file ("Update.zip") located on Discord that is automatically downloaded to the victim's device.
It's worth noting that threat actors frequently use Discord as an attack vector, with Bitdefender's recent study revealing more than 50,000 unsecured connections propagating malware, phishing campaigns, and spam during the past six months.
Another JavaScript file ("Update.js") is included in the ZIP archive file, and it executes PowerShell scripts responsible for downloading further payloads, such as BitRAT and Lumma Stealer, from a remote server in the form of PNG image files.
This method also retrieves PowerShell scripts for persistence and a.NET-based loader, which is generally used to start the final-stage malware. According to eSentire, the loader is most likely represented as a "malware delivery service" because it is used to spread both BitRAT and Lumma Stealer.
BitRAT is a feature-rich RAT that enables attackers to collect data, mine cryptocurrency, download additional malware, and remotely control infected systems. Lumma Stealer, a commodity stealer malware offered for $250 to $1,000 per month since August 2022, can take data from online browsers, cryptocurrency wallets, and other sensitive information.
"The fake browser update lure has become common amongst attackers as a means of entry to a device or network," the company noted, adding it "displays the operator's ability to leverage trusted names to maximize reach and impact.”
While such attacks typically employ drive-by downloads and malvertising techniques, ReliaQuest reported last week that it identified a new variant of the ClearFake campaign that tricked consumers into copying, pasting, and manually executing malicious PowerShell code under the guise of a browser update.
Specifically, the malicious website claims that "something went wrong while displaying this webpage" and instructs the site visitor to install a root certificate to resolve the issue by following a series of steps that include copying and pasting obfuscated PowerShell code into a PowerShell terminal.
"Upon execution, the PowerShell code performs multiple functions, including clearing the DNS cache, displaying a message box, downloading further PowerShell code, and installing 'LummaC2' malware," the company added.