Security firm Proofpoint has warned that it is detecting an increase in the number of malicious activities by exploiting forged browser updates to produce a wide variety of malware. A new version of the malware, named ‘Fake UpdateRU’ by Jerome Segura from MalwareBytes, was detected by security experts(which is not the same as that of old SocGholish malware). Most sites that disseminate the malware were swiftly taken down by Google. The infected websites are home to one such attack, which is called ClearFake.
A Popup appears as soon as a user tries to visit content on the site, requesting to upgrade the browser to an updated version for viewing it. Clicking on this bogus update button will lead to an automatic installation of a malicious program designed to steal your personal information.
According to Proofpoint, the attack ClearFake has been translated in a variety of languages, so that user browser settings can be matched.
A counterfeit Chrome update page looks very similar to that of the actual one. The malware belongs to the Zgrat and Redline Stealer malware families, known for ransomware attacks. It is a remote access trojan (RAT). In particular, there is a clear HTML code derived from the English version of Google’s UK website in the malware files. This shows that the hackers used a Chrome (Chromium-based) browser to make the malware. Even for users who don’t use Chrome, it creates a number of Russian words in the files.
Most of the Russian words have been removed from the fake update pages by some new versions of the malware, which means the hackers are changing their tactics. With this code, you will be able to obtain your last download URL, typically from another compromised website by using a Chrome Themed domain. To trick users into thinking their browsers need to be updated, hackers changed some words on the fake update page such as ‘Download’ is changed to ‘Update’. For information on how many infected websites are there, search for a special Google Tag Manager script.
Sucuri’s researchers say this malware affects both WordPress sites as well as the CMS,
1. The malware overwrites a key index.php file to replace website contents with the malicious overlay.
2.The malware has been injected into index.html files under the wp-content directory in some cases.
4.4. Attackers used Telegram to manage notifications of when users downloaded the payloads.
Further, to be sure you are running the latest version of Google Chrome on Windows, see:
1.) Click the Settings icon (three vertical dots) in the top-right corner of the Chrome browser window
2.)Select Settings in the menu at the bottom
3.)Click About Chrome in the left-hand menu that appears (This will check that Chrome is up to date, and you’ll also be offered the chance to download and install it here if a new browser version is available.)