Hackers are compromising websites to inject scripts that display fake Google Chrome automatic update errors that distribute malware to unaware visitors.
The campaign has been underway since November 2022, and according to NTT’s security analyst Rintaro Koike, it shifted up a gear after February 2023, expanding its targeting scope to cover users who speak Japanese, Korean, and Spanish.
BleepingComputer has found numerous sites hacked in this malware distribution campaign, including adult sites, blogs, news sites, and online stores.
Fake Chrome update errors
The attack starts by compromising websites to inject malicious JavaScript code that executes scripts when a user visits them. These scripts will download additional scripts based on whether the visitor is the targeted audience.
These malicious scripts are delivered through the Pinata IPFS (InterPlanetary File System) service, which obfuscates the origin server hosting the files, making blocklisting ineffective and resisting takedowns.
If a targeted visitor browses the site, the scripts will display a fake Google Chrome error screen stating that an automatic update that is required to continue browsing the site failed to install.
“An error occurred in Chrome automatic update. Please install the update package manually later, or wait for the next automatic update,” reads the fake Chrome error message.
The scripts will then automatically download a ZIP file called ‘release.zip’ that is disguised as a Chrome update the user should install.
However, this ZIP file contains a Monero miner that will utilize the device’s CPU resources to mine cryptocurrency for the threat actors.
Upon launch, the malware copies itself to C:Program FilesGoogleChrome as “updater.exe” and then launches a legitimate executable to perform process injection and run straight from memory.
According to VirusTotal, the malware uses the “BYOVD” (bring your own vulnerable driver) technique to exploit a vulnerability in the legitimate WinRing0x64.sys to gain SYSTEM privileges on the device.
The miner persists by adding scheduled tasks and performing Registry modifications while excluding itself from Windows Defender.
Additionally, it stops Windows Update and disrupts the communication of security products with their servers by modifying the IP addresses of the latter in the HOSTS file. This hinders updates and threat detection and may even disable an AV altogether.
After all these steps, the miner connects to xmr.2miners[.]com and starts mining the hard-to-trace cryptocurrency Monero (XMR).
While some of the websites that have been defaced are Japanese, NTT warns that the recent inclusion of additional languages may indicate that the threat actors plan to expand their targeting scope, so the campaign’s impact may become greater soon.
As always, never install security updates for installed software at third-party sites, and only install them from the software’s developers or via automatic updates built into the program.