Fake Browser Updates Used to Deploy MalwareNotifications on Compromised Websites Impersonate Chrome, Firefox and Edge Browsers
Cybercriminals are disguising malware as phony browser updates on compromised websites. Fraudulent updates for Chrome, Firefox and Edge browsers are luring unsuspecting users into downloading malware that can steal data, take over devices or deploy ransomware.
Proofpoint researchers observed four different threat clusters - including SocGholish, RogueRaticate, SmartApeSG and ClearFake - using separate campaigns with similar characteristics to deliver fake browser update lures.
"The use of fake browser updates is an interesting threat that pairs unique technical capabilities with social engineering to convince people their browser is out of date," the researchers said. "The fake browser update lure has been seen leading to a variety of malware that can steal data, remotely control a computer, or even lead to ransomware."
Researchers found three distinct stages of malware deployment:
- Stage 1: Malicious injection on a legitimate, but compromised, website;
- Stage 2: Hosting of the lure and malicious payload;
- Stage 3: The execution of the payload on a host after download.
Users are then prompted to download a "browser update" that delivers the final payload.
Researchers found that threat actor TA569, who is also the distributor, used fake browser updates for over five years to deliver SocGholish malware.
Attackers previously used SocGholish to target dozens of newspaper websites operated by a U.S. media company (see: WastedLocker Ransomware Targets US Newspaper Company).
The latest campaign demonstrates that other threat actors have adopted this method, using their own approaches to deliver the lure and payload and taking advantage of the same social engineering tactics.
Attackers used an injection that uses the Keitaro traffic distribution system via a variety of actor-controlled domains that filter requests out before routing to the Stage 2 domains.
"The variety of injections makes it difficult for defenders to both identify the location of the malicious injection and reproduce the traffic, due to the various stages of filtering," the researchers said.
Proofpoint researchers said that SocGholish infections also deploy AsyncRAT and NetSupport RAT as remote access Trojan payloads.