The main target of this malware campaign is unsuspecting Windows 10 users.
Rapid7’s detection and managed response team shared details of their newly identified malware campaign, urging unsuspecting Windows users to be cautious. This campaign is designed to steal sensitive data and cryptocurrencies from infected PCs.
In the latest campaign, attackers install the payload as a Windows application after it is delivered to the device through a compromised website on the Google Chrome ad service and bypass UAC (User Account Control), the Windows operating system exclusive cybersecurity protection.
It should be noted that Windows 10 is the primary target for malware operators.
SEE: Fake update of Chrome and Firefox browser leads users to malware infection
“Attackers are using a compromised website specially crafted to exploit a version of the Chrome browser (running on Windows 10) to deliver the malicious payload,” the researchers found. Investigations into the Chrome browser history file of infected users showed redirects to several suspicious domains and other unusual redirect strings prior to the initial infection, âthe Rapid7 blog post read.
The first area studied for this survey was birchlerarroyo[.]com.
The attack chain is triggered when a Chrome browser user visits an infected website. The Chrome browser ad service immediately asks them to take action and update the browser. This is a malicious Chrome update related to a Windows app package with a file of type MSIX (oelgfertgokejrgre.msix).
This file is hosted on the chromesupdate[.]domain com. The researchers confirmed that this file was a Windows application package.
“Its delivery mechanism through an ad-as-a-Windows application (which doesn’t leave web-based download forensic artifacts behind), the Windows application installation path, and the workaround technique UAC by manipulating an environment variable and native scheduled task may go undetected by various security solutions or even by a seasoned SOC analyst, âwrote Andrew Iwamaye, Research Analyst at Rapid7 .
The malicious application package installed by the MSIX file is not hosted on the official Microsoft Store. A prompt is available to allow the installation of sideloading apps from third-party stores.
What happens after installing malware?
Once the malware is installed on a targeted device, it begins to extract sensitive user data, including credentials stored in the browser or cryptocurrency, preventing browser updates and allowing execution. controls on the affected machine. It can also remain persistent on the device even if the malware is removed.
Iwamaye explained that to maintain persistence on the device, Infostealer abuses a “Windows environment variable and a native scheduled task to ensure that it runs persistently with elevated privileges.”
Further investigation revealed that the malware was downloaded to the PC due to a flaw in Chrome, which allowed the malware to bypass UAC.
Did you enjoy reading this article? Like our page on Facebook and follow us on Twitter.