top of page

Cyber Bites

Compromised websites pushing fake Chrome update

Numerous compromised websites are trying to trick users into installing malware by impersonating an update for Google’s Chrome browser. After displaying the message below, a file named “release.zip” is downloaded. This zip file is NOT a Chrome update but Monero miner malware.



If you are tricked into running the zip file, you get the following:

  • The malware copies itself to C:\Program Files\Google\Chrome as "updater.exe" and then launches a legitimate executable to perform a process injection attack which is run straight from memory.

  • Uses a BYOVD attack to exploit WinRing0x64.sys to gain SYSTEM privileges on the device.

  • Establishes persistence by adding scheduled tasks and makes Registry modifications.

  • Excludes itself from Windows Defender

  • Disables Windows Update

  • Disrupts the communication of security products with their servers by modifying the IP addresses in the HOSTS file. This hinders updates and threat detection and may even disable an AV altogether.

Takeaway:

Only update Chrome from within the browser itself. Now would be a good time to check as Google released a new update yesterday, taking the version to 112.0.5615.86 or 87.

To check for real updates:

  1. On your computer, open Chrome.

  2. At the top right, click More .

  3. Click Help. About Google Chrome.

Definitions

Process injection - technique used by malware to inject code into a running process on a computer. This allows the malware to execute its code in a process already running in computer memory. This helps it evade detection and bypass security measures.

BYOVD (bring your own vulnerable driver) – An attack that involves deliberately installing a vulnerable device driver and then using its vulnerability to exploit the device.

Source: Bleepingcomputer


Would you like a free, no-obligation Cybersecurity Benchmarking of your organization showing where you stand vs. industry-accepted practices? Click here to schedule a time with one of our associates.

Comentarios


bottom of page