Fake Browser Updates delivering BitRAT and Lumma Stealer
Summary:
Researchers at eSentire have observed a trend in the employment of fake web browser updates to infect end users with various malware strains including SocGholish as well as Fakebat. In May 2024 eSentire’s Threat Response Unit started seeing actors using this tactic to deliver BitRAT, a remote access trojan, and Lumma Stealer, a notorious info stealer malware that has gained popularity within the cybercriminal community. The attack chains observed as of lately initiate when an end user visits an infected webpage injected with malicious JavaScript code. Loading this page triggers the JavaScript code which then directs the user to a fake browser update page (chatgpt-app[.]cloud) for Google Chrome. This page contains a download link to a ZIP archive called ‘Update.zip’, which is hosted on Discord and automatically downloaded onto the victim’s device. Within the Zip archive is another JavaScript file (’update.js’) designed to trigger the execution of PowerShell scripts responsible for retrieving additional payloads, including BitRAT and Lumma Stealer in the form of PNG files.
Security Officer Comments:
While the use of fake browser updates is not novel, the employment of other tactics including the use of legitimate services like discord and embedment of malware in PNG files makes it challenging for defenders and end point solutions to detect potential infections. The latest delivery of malware including BitRAT and Lumma Stealer highlights the operational objectives of actors behind these campaigns. BitRAT comes with capabilities to exploit User Account Control (UAC) to elevate privileges and take control over victim environments. On the other hand, Lumma Stealer allows actors to target cryptocurrency wallets, browser extensions, and other sensitive data. The malware also comes with a non-resident loader designed to deploy other malicious payloads which actors can use to conduct further operations on targeted environments.
Suggested Corrections:
Users should avoid downloading software from third-party sites and should exclusively refer to the official vendor’s website to ensure authenticity. Updates for browsers like Chrome can be accessed directly via the browser (typically an “update’ button is shown on the top right corner of Chrome, whenever there is a new update). As such a site promoting browser updates should be seen as a red flag and avoided at all costs.
IOCs:
https://github.com/esThreatIntellig...keBrowserUpdates_BitRat_LummaC2-5-20-2024.txt
Link(s):
https://www.esentire.com/blog/fake-browser-updates-delivering-bitrat-and-lumma-stealer
Researchers at eSentire have observed a trend in the employment of fake web browser updates to infect end users with various malware strains including SocGholish as well as Fakebat. In May 2024 eSentire’s Threat Response Unit started seeing actors using this tactic to deliver BitRAT, a remote access trojan, and Lumma Stealer, a notorious info stealer malware that has gained popularity within the cybercriminal community. The attack chains observed as of lately initiate when an end user visits an infected webpage injected with malicious JavaScript code. Loading this page triggers the JavaScript code which then directs the user to a fake browser update page (chatgpt-app[.]cloud) for Google Chrome. This page contains a download link to a ZIP archive called ‘Update.zip’, which is hosted on Discord and automatically downloaded onto the victim’s device. Within the Zip archive is another JavaScript file (’update.js’) designed to trigger the execution of PowerShell scripts responsible for retrieving additional payloads, including BitRAT and Lumma Stealer in the form of PNG files.
Security Officer Comments:
While the use of fake browser updates is not novel, the employment of other tactics including the use of legitimate services like discord and embedment of malware in PNG files makes it challenging for defenders and end point solutions to detect potential infections. The latest delivery of malware including BitRAT and Lumma Stealer highlights the operational objectives of actors behind these campaigns. BitRAT comes with capabilities to exploit User Account Control (UAC) to elevate privileges and take control over victim environments. On the other hand, Lumma Stealer allows actors to target cryptocurrency wallets, browser extensions, and other sensitive data. The malware also comes with a non-resident loader designed to deploy other malicious payloads which actors can use to conduct further operations on targeted environments.
Suggested Corrections:
Users should avoid downloading software from third-party sites and should exclusively refer to the official vendor’s website to ensure authenticity. Updates for browsers like Chrome can be accessed directly via the browser (typically an “update’ button is shown on the top right corner of Chrome, whenever there is a new update). As such a site promoting browser updates should be seen as a red flag and avoided at all costs.
IOCs:
https://github.com/esThreatIntellig...keBrowserUpdates_BitRat_LummaC2-5-20-2024.txt
Link(s):
https://www.esentire.com/blog/fake-browser-updates-delivering-bitrat-and-lumma-stealer