Threat actors are spreading this fake browser mostly via compromised websites that are powered by WordPress and also attackers used other hacked CMS websites.
Thousands of hacked sites are used for this campaign along with various stages of infection process by injecting malicious scripts from the legitimate web pages.
Fake updates claim that the popup comes from an “Update Center” based on the browser type by saying “a critical error occurred due to the outdated version of the browser, Update your browser as soon as possible.”
Attackers pushing the fake updates based upon the browser that used by victims to access the compromised websites and they have a malicious popup for all widely used browsers including messages for Chrome, Internet Explorer and Edge browsers.
Also the popups urged user to download and install the update in order to avoid “Loss of personal and stored data, confidential information leaks, and browser errors” that you can in above image.
The update link pointed to some of the compromised website where the threat actors loaded a exe and zip files that will eventually drop into the victims computer.
Fake Browser Update Infection Process
Initially, attackers choose the 2 ways either inject links to an external script or inject the whole script code into the hacked web pages.
Researchers from Sucuri described some of the external script links used by this campaign:
- hxxps://wibeee.com[.]ua/wp-content/themes/wibeee/assets/css/update.js – 225 infected sites.
- hxxp://kompleks-ohoroni.kiev[.]ua/wp-admin/css/colors/blue/update.js – 54 for the second.
- hxxp://quoidevert[.]com/templates/shaper_newsplus/js/update.js – 198 infected sites.
Fake browser update overlay window generated by these update.js files which contain an obfuscated script along with the download link of Fake update file.
Once the victims click the update links, hacked site drop the Zip file which is quite very small around 3kb which is not sufficient size to have a windows based malware.
Further analysis done by a researcher Peter Gramantik , reveals that the contain
“In this case, the malicious code uses the Windows Script Host functionality to download external files, execute them, and then delete.”
According to Sucuri, the script tries to download browser.jpg files from compromised third-party sites. You should not be fooled by the benign .jpg extension and the further analysis in
Recently discovered fake browser updates file also contains a banking malware which is used the same infection methods.
Also, Sucuri Stats that, To track their campaign, hackers include Histats scripts into all versions of their malware. At this point, they use the following two Histats ids that infected nearly 1500 websites.