Skip to content

Hacked sites are spreading malware using fake Chrome updates

  • by
  • 2 min read

Photo by Hadrian / Shutterstock.com

In a campaign active since at least November 2022, hackers are compromising websites to make them display fake Chrome update notifications, eventually, leading unware visitors to download malware on their machines, including a Monero crypto miner. The campaign has picked up pace since February 2023 and has expanded its scope to target Japanese, Korean and Spanish users as well in addition to already affected sites including online stores, blogs and news sites.

According to NTT security analyst Rintaro Koike, the attack starts off with the threat actor compromising websites to inject a Javascript script that runs when a visitor comes to the website and shows a screen stating that the visitor needs to update their Chrome browser version.

The fake update error shown on compromised websites. | Source: NTT

The scripts themselves are delivered through Pinata IPFS (Interplanetary File System) which helps hide the origin server hosting the malicious scripts making blacklisting ineffective. These scripts might also download additional scripts based on whether or not the visitor is among the campaign’s target audience. 

After presenting the user with the fake update message, the script automatically downloads a ZIP file disguised as the Chrome update the user needs to install. However, this ZIP file actually contains a Monero miner. Once launched, it copies itself to the Chrome root directory as updater.exe. It then launches a legitimate executable called conhost.exe to carry out a process injection attack and runs straight from the system memory. 

There are several cleanup and anti-detection steps the malware takes as well. For instance, it’ll automatically add scheduled tasks, change the Windows Registry and exclude itself from Windows Defender. It also stops Windows Updates and modifies any IP addresses in the Windows Hosts file, disrupting server communications on any antivirus programs running on the infected computer. Once this entire process is completed, the minor connects to the Monero network and starts mining. 

In the News: Microsoft fixes 98 vulnerabilities in Patch Tuesday update, one actively exploited

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: yadullahabidi@pm.me.

>