Fake Chrome & Firefox browser update lead users to malware infection

Another day, another malware scam – This one uses Chrome and Firefox browsers as bait to infect Windows users. 

The IT security researchers at Malwarebytes have discovered a malware campaign that aims at infecting devices by tricking users into downloading malicious files disguised as Chrome and Firefox browser updates.

Malware campaign targets sites on popular CMS

The malware campaign originally began targeting users in December 2017, by compromising websites using Squarespace, Joomla, and WordPress content management system (CMS) and injecting them with malicious redirection code.

Until now, researchers have identified thousands of compromised websites hosting the “FakeUpdates campaign.” Simply put, cybercriminals are compromising websites and displaying notifications to visitors that they are using an outdated version of Chrome or Firefox browser.

Fake Chrome & Firefox browser update lead users to malware infection
Credit: Malwarebytes

It is worth noting that the update notification is displayed to one user per IP address and redirects them to download site based on their browser. For instance, Chrome users are redirected to fake Chrome browser update page while Firefox users are redirected to a site that shows Firefox browser update notification.

Malwarebytes researchers noted that the infection begins with the fake update disguising as a JavaScript file hidden in the Dropbox file hosting service. The Dropbox URL is regularly changed and updated to avoid detection.

“This JavaScript is heavily obfuscated to make static analysis very difficult and also to hide some crucial fingerprinting that is designed to evade virtual machines and sandboxes,” wrote Malwarebytes analyst Jérôme Segura.

End target: ZeusVM’s variant Chtonic banking malware

The end result of this malware campaign is infecting Windows devices with Chtonic banking malware, a variant of infamous ZeusVM (Zeus family of malware) which means that cybercriminals are aiming at the victims’ banking and payment card credentials.

Fake Chrome & Firefox browser update lead users to malware infection
Credit: Malwarebytes

“This campaign relies on a delivery mechanism that leverages social engineering and abuses a legitimate file hosting service. The ‘bait’ file consists of a script rather than a malicious executable, giving the attackers the flexibility to develop interesting obfuscation and fingerprinting techniques,” Segura added.

According to Kaspersky Labs, Chtonic was behind targeting 20 payment systems in 15 countries, banks in Italy, Japan, Spain, Russia, the UK and the US. Initially, the prime source of targeting users was phishing emails with Microsoft documents however now the cybercriminals have changed their tactics and targeting Chrome and Firefox users which are in million worldwide.

Nevertheless, hackers are becoming sophisticated and persistent in their attacks. In November 2017, Zeus Panda banking trojan was found exploiting Google’s search engine result. In their campaign, a set of hacked websites were used to target various keyword groups; the majority of them were linked to financial or banking related information.

Fake Chrome and Firefox malware scam number 2

This is not the first time when hackers have used Chrome and Firefox browsers as bait to target unsuspecting users. Previously, fake Chrome and Firefox font update were used to drop a malware leading to Locky ransomware infection.

Based on the increasing sophistication in malware attacks, users are advised to be vigilant and do not fall for such scam. If a third-party website asks you to update your browser and any other utility consider ignoring it and check for the latest version on vendors official website.

Moreover, keep your system updated and use an anti-virus or anti-malware software. You can also check this list of 10 powerful but not yet promoted antivirus for PC, Mac, Android, and iPhone. Stay safe online.

Waqas

Waqas Amir is a Milan-based cybersecurity journalist with a passion for covering latest happenings in cyber security and tech world. In addition to being the founder of this website, Waqas is also into gaming, reading and investigative journalism.