Two new cybercriminal groups have been identified by cybersecurity researchers at Proofpoint, responsible for a series of fake browser update scams that aim to infect users with malware. These groups, known as TA2726 and TA2727, have been using compromised websites to deceive visitors into downloading malicious software, including the newly discovered Mac-specific information stealer called FrigidStealer.
The scam operates by leveraging web injects, which involve attackers inserting malicious code into legitimate websites. When unsuspecting users visit an infected site, they are presented with a fake browser update prompt that encourages them to download and install an update. However, instead of receiving a legitimate update, users end up downloading malware that can compromise their sensitive data or install more hazardous payloads.
TA2726 functions as a traffic seller, providing a redirection service for other malicious actors. It is believed to be collaborating with TA569, a previously known threat actor that was once a prominent player in fake update campaigns. On the other hand, TA2727 is directly involved in distributing malware, often employing the fake update tactic to deceive users.
In a recent campaign observed by researchers, TA2727 targeted users with different types of malware based on their geographical location. Users in the United States and Canada were directed to the SocGholish inject, leading to the installation of malware. Meanwhile, European Windows users encountered a fake browser update prompt that installed the Lumma Stealer, while Android users were exposed to the Marcher banking trojan.
The newly discovered FrigidStealer specifically targets Mac users, initiating the attack with a fake update message that redirects them to a malicious file. If users click on the file, disguised as a browser update for Chrome or Safari, the FrigidStealer information stealer is installed. This malware secretly collects sensitive data such as browser cookies, password-related files, cryptocurrency information, and even Apple Notes, similar to a recent variant of the XCSSET malware.
FrigidStealer is coded in Go and utilizes the WailsIO framework to create a realistic fake update window. It is also adept at bypassing Mac’s Gatekeeper security feature by requiring users to right-click and select “Open,” a common tactic used by Mac malware authors.
Not only Mac users are at risk, as the same attack chain has been observed delivering the Marcher banking trojan for Android users, and the Lumma Stealer and DeerStealer for Windows users.
Android users who click on the fake update download the Marcher banking trojan, designed to steal login credentials from banking apps. Meanwhile, Windows users receive an MSI installer that loads a trojanized DLL, ultimately running the Lumma Stealer to extract credentials and financial data.
To protect themselves, users are advised to educate themselves on basic cybersecurity practices, learn how to identify phishing emails, avoid third-party apps and tools, and scan files and links on platforms like VirusTotal or ANY.RUN. By staying vigilant and informed, users can reduce the risk of falling victim to these malicious scams.