Unsuspecting users are exposed to malware after hackers compromise websites and insert scripts that display false Google Chrome automatic update problems.
Since November 2022, the campaign has been running. However, according to the cybersecurity website expert, it picked up speed after February 2023. Moreover, it began to target people who spoke Japanese, Korean, and Spanish.
Numerous websites, including blogs, news websites, and online retailers, have been hacked as part of this virus dissemination effort.
Table of Contents
ToggleErrors with fake Chrome updates
The attack begins by targeting vulnerable websites and injecting malicious JavaScript code that executes scripts whenever a user accesses them. Subsequently, the injected code may download additional scripts, depending on whether or not the visitor is part of the intended target audience. The Pinata IPFS (InterPlanetary File System) service conceals the origin server hosting the files. Thus, rendering blocklisting useless, and takedown attempts are resisted.
The scripts will display a phoney Google Workspace company search engine error box whenever a targeted visitor attempts to access the site. It claims that an automated update that was necessary to continue surfing the site did not install.
Users are notified with a fake error message claiming that “The automated update for Chrome encountered a problem.” This deceptive notice provides users with two options: either wait for the next automated update or install the update manually.
Furthermore, the scripts will then initiate the automated download of a ZIP file with the name “release.zip,”. It is actually a Chrome update that the user has to install.
The hackers utilize the device’s CPU power to mine money through the Monero miner included in this ZIP file.
Virus Launched
The virus launches by copying itself as “updater.exe” to C:Program FilesGoogle Chrome. Then it launches a genuine application to execute the injection process and run directly from memory.
According to virus total it exploits a flaw in WinRing0x64.sys in order to gain SYSTEM capabilities on the device.
By disabling Windows Defender, the miner creates new scheduled jobs and modifies the Registry to keep running. Moreover, it disables Windows Update and alters the HOSTS file’s IP addresses, preventing security software from communicating with those servers. This can result in impaired threat detection and updates, and may even disable an AV entirely.
The miner then connects to xmr.2miners[.]com and begins mining the difficult-to-trace cryptocurrency Monero (XMR) after completing all these procedures.
NTT cautions that some of the websites that have been defaced are in Japanese. However, the recent addition of other languages may suggest that the threat actors intend to broaden their target audience. In such an event, the impact of the campaign could escalate quickly.
Rather than downloading security updates from third-party websites, always download them directly from the product’s creators.