Photo by Hadrian / Shutterstock.com
In a campaign active since at least November 2022, hackers are compromising websites to make them display fake Chrome update notifications, eventually, leading unware visitors to download malware on their machines, including a Monero crypto miner. The campaign has picked up pace since February 2023 and has expanded its scope to target Japanese, Korean and Spanish users as well in addition to already affected sites including online stores, blogs and news sites.
The scripts themselves are delivered through Pinata IPFS (Interplanetary File System) which helps hide the origin server hosting the malicious scripts making blacklisting ineffective. These scripts might also download additional scripts based on whether or not the visitor is among the campaign’s target audience.
After presenting the user with the fake update message, the script automatically downloads a ZIP file disguised as the Chrome update the user needs to install. However, this ZIP file actually contains a Monero miner. Once launched, it copies itself to the Chrome root directory as updater.exe. It then launches a legitimate executable called conhost.exe to carry out a process injection attack and runs straight from the system memory.
There are several cleanup and anti-detection steps the malware takes as well. For instance, it’ll automatically add scheduled tasks, change the Windows Registry and exclude itself from Windows Defender. It also stops Windows Updates and modifies any IP addresses in the Windows Hosts file, disrupting server communications on any antivirus programs running on the infected computer. Once this entire process is completed, the minor connects to the Monero network and starts mining.
In the News: Microsoft fixes 98 vulnerabilities in Patch Tuesday update, one actively exploited