Hacked sites caught spreading malware via fake Chrome updates

Hackers are compromising websites to inject scripts that display fake Google Chrome automatic update errors that distribute malware to unaware visitors.

The campaign has been underway since November 2022. Numerous sites were found hacked in this malware distribution campaign, including adult sites, blogs, news sites, and online stores.

Fake Chrome update errors

The attack starts by compromising websites to inject malicious JavaScript code that executes scripts when a user visits them. These scripts will download additional scripts based on whether the visitor is the targeted audience.

These malicious scripts are delivered through the Pinata IPFS (InterPlanetary File System) service, which obfuscates the origin server hosting the files, making blocklisting ineffective and resisting takedowns.

If a targeted visitor browses the site, the scripts will display a fake Google Chrome error screen stating that an automatic update required to continue browsing the site failed to install.

“An error occurred in Chrome’s automatic update. Please install the update package manually later, or wait for the next automatic update,” reads the fake Chrome error message.

Fake error served to visitors
Fake error served to visitors (NTT)

The scripts will then automatically download a ZIP file called ‘release.zip’ disguised as a Chrome update the user should install.

JavaScript that activates the ZIP dropJavaScript that activates the ZIP drop (NTT)

However, this ZIP file contains a Monero miner that will utilize the device’s CPU resources to mine cryptocurrency for the threat actors.

Upon launch, the malware copies itself to C:\Program Files\Google\Chrome as “updater.exe” and then launches a legitimate executable to perform process injection and run straight from memory.

According to¬†VirusTotal, the malware uses the “BYOVD” (bring your own vulnerable driver) technique to exploit a vulnerability in the legitimate WinRing0x64.sys to gain SYSTEM privileges on the device.

The miner persists by adding scheduled tasks and performing Registry modifications while excluding itself from Windows Defender.

Additionally, it stops Windows Update and disrupts the communication of security products with their servers by modifying the IP addresses of the latter in the HOSTS file. This hinders updates and threat detection and may even disable an AV altogether.

After all these steps, the miner connects to xmr.2miners[.]com and starts mining the hard-to-trace cryptocurrency Monero (XMR).

While some of the websites defaced are Japanese, NTT warns that the recent inclusion of additional languages may indicate that the threat actors plan to expand their targeting scope, so the campaign’s impact may become greater soon.

As always, never install security updates for installed software at third-party sites, and only install them from the software’s developers or via automatic updates built into the program.

Source: BleepingComputer