October 2, 2024 at 02:28PM
A new ‘FakeUpdate’ campaign by the ‘SocGolish’ group in France uses compromised websites to display fake browser and app updates, spreading the WarmCookie backdoor. When users click the fake updates, malicious payloads like info-stealers and ransomware are downloaded. Gen Threat Labs observed the backdoor being distributed as fake Google Chrome and Java updates. The malware detects analysts’ environments and sends system fingerprints to a command and control server. It’s crucial to be cautious of fake update prompts, as legitimate browsers are automatically updated without users needing to manually download and execute update packages.
Key takeaways from the meeting notes:
– A new ‘FakeUpdate’ campaign is targeting users in France and is operated by a threat group called “SocGolish.”
– The campaign uses compromised websites to display fake browser and application update prompts, which deliver the WarmCookie backdoor when clicked.
– WarmCookie is a Windows backdoor capable of data and file theft, device profiling, arbitrary command execution, and the introduction of additional payloads on infected systems.
– The latest campaign observed by researchers at Gen Threat Labs distributed the WarmCookie backdoor as fake updates for Google Chrome, Mozilla Firefox, Microsoft Edge, and Java, with new features that include running DLLs from the temp folder and the transfer and execution of EXE and PowerShell files.
– Upon execution, the malware performs anti-VM checks and sends the infected system’s fingerprint to a command and control (C2) server for further instructions.
– Compromised websites are used in the campaign, and the domains used for fake update themes (e.g., “edgeupdate[.]com” and “mozilaupgrade[.]com”) are specifically selected to match the ‘FakeUpdate’ theme.
– It’s important to note that legitimate browsers are automatically updated, and manually downloading and executing updater packages should be considered a sign of danger.
– FakeUpdates often compromise legitimate and trustworthy websites, so users should treat update prompts with caution, even on familiar platforms.
Related Articles:
– Arc browser launches bug bounty program after fixing RCE bug
– New RomCom malware variant ‘SnipBot’ spotted in data theft attacks
– Infostealer malware bypasses Chrome’s new cookie-theft defenses
– Hackers deploy AI-written malware in targeted attacks
– New Octo Android malware version impersonates NordVPN, Google Chrome