Compromised Sites Use Fake Chrome Update Warnings to Spread Malware (bleepingcomputer.com) 13
Bleeping Computer warned this week about compromised web sites "that display fake Google Chrome automatic update errors that distribute malware to unaware visitors."
The campaign has been underway since November 2022, and according to NTT's security analyst Rintaro Koike, it shifted up a gear after February 2023, expanding its targeting scope to cover users who speak Japanese, Korean, and Spanish. BleepingComputer has found numerous sites hacked in this malware distribution campaign, including adult sites, blogs, news sites, and online stores...
If a targeted visitor browses the site, the scripts will display a fake Google Chrome error screen stating that an automatic update that is required to continue browsing the site failed to install. "An error occurred in Chrome automatic update. Please install the update package manually later, or wait for the next automatic update," reads the fake Chrome error message. The scripts will then automatically download a ZIP file called 'release.zip' that is disguised as a Chrome update the user should install.
However, this ZIP file contains a Monero miner that will utilize the device's CPU resources to mine cryptocurrency for the threat actors. Upon launch, the malware copies itself to C:\Program Files\Google\Chrome as "updater.exe" and then launches a legitimate executable to perform process injection and run straight from memory. According to VirusTotal, the malware uses the "BYOVD" (bring your own vulnerable driver) technique to exploit a vulnerability in the legitimate WinRing0x64.sys to gain SYSTEM privileges on the device.
The miner persists by adding scheduled tasks and performing Registry modifications while excluding itself from Windows Defender. Additionally, it stops Windows Update and disrupts the communication of security products with their servers by modifying the IP addresses of the latter in the HOSTS file. This hinders updates and threat detection and may even disable an AV altogether.
If a targeted visitor browses the site, the scripts will display a fake Google Chrome error screen stating that an automatic update that is required to continue browsing the site failed to install. "An error occurred in Chrome automatic update. Please install the update package manually later, or wait for the next automatic update," reads the fake Chrome error message. The scripts will then automatically download a ZIP file called 'release.zip' that is disguised as a Chrome update the user should install.
However, this ZIP file contains a Monero miner that will utilize the device's CPU resources to mine cryptocurrency for the threat actors. Upon launch, the malware copies itself to C:\Program Files\Google\Chrome as "updater.exe" and then launches a legitimate executable to perform process injection and run straight from memory. According to VirusTotal, the malware uses the "BYOVD" (bring your own vulnerable driver) technique to exploit a vulnerability in the legitimate WinRing0x64.sys to gain SYSTEM privileges on the device.
The miner persists by adding scheduled tasks and performing Registry modifications while excluding itself from Windows Defender. Additionally, it stops Windows Update and disrupts the communication of security products with their servers by modifying the IP addresses of the latter in the HOSTS file. This hinders updates and threat detection and may even disable an AV altogether.
Know how to update the real Chrome. (Score:2)
Re: Know how to update the real Chrome. (Score:2)
Re: (Score:2)
Re: (Score:2, Informative)
Is this an update to the story below? (Score:3, Funny)
Has /. been "compromised"?
Compromising Positions (Score:3)
Has /. been "compromised"?
"This comment isn't the worst thing you've caught me doing....."
Re: (Score:1)
I would mod this up, but I have to add that this is rather fucking damning and good reinforcing lesson for why I run nothing but Firefox for the last 20 years.
Re: (Score:2)
The only time you ever see legit messages about a FireFox update is when you launch FireFox.
Pretty sure it's the same with Chrome. These kinds of social engineering vulnerability prey on a user's ignorance.
What I don't get is how Chrome can be configured to automatically download and run an EXE. Seriously? The user doesn't have to initiate that? I have a hard time believing there's a default setting that would allow download-and-run, even with user account privileges.
It doesn't "automatically download and run an EXE" .zip
1. It's a
2. it only downloads the file, it doesn't automatically execute it.
What took so long? (Score:2)
Should have been released before the Chrome story was picked up in the mainstream press.
At least it should be easy to tell (Score:1)
If this crypto miner thing starts using your CPU to mine crypto, you'll definitely notice. That CPU fan is going to be revving non-stop. That's pretty likely to get the attention of even people who are relatively inept with technology, and they'll know to ask for help.
Another reason I don't use Chrome (Score:2)