Google Chrome fans are being warned about a malware campaign that spreads malicious files through fake updates for the internet browser.

The malware first started being distributed in December 2017, and leverages hacked websites to redirect users to pages promoting fake software updates.

It was discovered by security experts Malwarebytes, with the campaign dubbed ‘FakeUpdates’.

It has been spreading bogus patches for software such as Google Chrome, Mozilla Firefox, Internet Explorer and Adobe Flash Player.

Malwarebytes researcher Jerome Segura in a blog post explained how CMS systems of legitimate websites had been hacked to spread the malicious files.

He explained the CMS hack affected thousands of sites that used the WordPress, Squarespace and Joomla platforms.

Segura said visitors to affected sites were redirected to a fake update page for their relevant browser.

So Chrome users were presented with a bogus Google update page and Firefox fans saw a fake Mozilla download site.

The victims were told their software was out-of-date and that they needed to update to the latest version.

Clicking on the update button prompts users to download a JavaScript file hosted on Dropbox, which then infects a victim’s computer with malware.

The URL to the offending file is changed regularly to avoid detection.

Segura said: “This JavaScript is heavily obfuscated to make static analysis very difficult and also to hide some crucial fingerprinting that is designed to evade virtual machines and sandboxes.”

The end-game for cybercriminals is to trick users into downloading the Chtonic banking malware.

This malicious software affects Windows devices and is a variant of the infamous ZeusVM trojan.

It enables cybercriminals to steal banking and credit card details from their victims.

Segura said: “This campaign relies on a delivery mechanism that leverages social engineering and abuses a legitimate file hosting service.

“The ‘bait’ file consists of a script rather than a malicious executable, giving the attackers the flexibility to develop interesting obfuscation and fingerprinting techniques.

“Compromised websites were abused to not only redirect users but also to host the fake updates scheme, making their owners unwitting participants in a malware campaign.

“This is why it is so important to keep Content Management Systems up to date, as well as use good security hygiene when it comes to authentication.”

The news comes after last month Chrome users were warned about a shock security risk which could let hackers take control of their computers.

Cyber security firm Check Point uncovered the issue with the Chrome Remote Desktop extension, which can be found on the Chrome Web Store.

One of their analysts noticed “unexpected behaviour” when the Google Chrome Remote Desktop Application was running on macOS.

Check Point explained how the bug could let a user log in as a guest but still gain administrator privileges.

They said: “One of our security analysts recently noticed an unexpected behaviour in Google Chrome Remote Desktop Application on macOS.

“The strange behaviour allows, in some cases, a ‘Guest user’ to login as Guest and yet receive an active session of another user (such as administrator) without entering a password.

“Check Point Research reported this bug to Google on 15th February 2018. Google responded that from a CRD (Chrome Remote Desktop) perspective, the login screen is not a security boundary.

“As we see it this is a security issue and believe users should be alert to the risk of letting a guest remotely access their machine.”

The ‘guest user’ feature is not enabled by default on macOS, so the Chrome exploit will not affect Mac users who are yet to set this feature live.

Source link

LEAVE A REPLY

Please enter your comment!
Please enter your name here