Malware distributed via fake Chrome updates
Apr 13, 2023
|Google Chrome is the most used browser in the world, so it is also one of the favorite software of cybercriminals. A campaign has been underway for several weeks that exploits fake Chrome updates to distribute malware. This happens when the user visits certain sites. The ultimate goal is to install a cryptominer on your computer.
Beware of fake Chrome updates
|The chain of infection first involves injecting scripts into websites. These scripts are executed when the unsuspecting victim logs into the site. Using the InterPlanetary File System (IPFS) Pinata service, which hides the origin of the files, additional scripts are downloaded that trigger an error message about Google's browser.
|The user is tricked by the message inviting him to download and install the new version of Chrome contained in a ZIP archive. Inside there is a miner for Monero cryptocurrencies. The malware, copied to the directory C:\Program Files\Google\Chrome as , uses the BYOVDupdater.exe (Bring Your Own Vulnerable Driver) technique to exploit a vulnerability of the legitimate driver and gain SYSTEM privileges.WinRing0x64.sys
|The miner is then loaded into memory, while persistence is ensured by a scheduled task. The malware adds itself to the Microsoft Defender exclusion list (by changing a key in the registry), stops Windows Update and changes the IP addresses of the servers from which the antivirus downloads updates.
|At the end of these operations, the generation of coins is started, exploiting the hardware resources of the computer. The malware initially targeted Japanese-language sites, but the targets have increased with the latest attacks. The advice is to only use the update feature built into Chrome.
|Source: Bleeping Computer