The advancement of technology has brought about an increase in cybercrime. Recently, hackers have been reported to infiltrate websites and inject code that displays fake Google Chrome automatic update errors. This “injection” distributes malware to unsuspecting visitors who click on the website.
According to security analyst NTT Rintaro Koike, hackers have been active since November 2022, and the method has changed since February 2023. They have expanded their targeting to include users who speak Japanese, Korean, and Spanish.
BleepingComputer has found many websites that have been hacked in this malware distribution campaign, including adult sites, blogs, news sites, and online stores.
The attack starts by compromising a website to inject dangerous JavaScript code that executes a script when a user visits the website. The code will download additional scripts based on whether the visitor is a targeted audience.
This malicious code is sent via the Pinata IPFS (InterPlanetary File System) service, masking the original server hosting the file, making blocklists ineffective, and rejecting removal.
If a targeted visitor starts browsing the site, the code will display a fake Google Chrome error notification. Then, an automatic update statement is displayed, which is required to continue browsing the site that failed to install.
“The automatic Chrome update encountered an error. Please manually install the update package later, or wait for the next automatic update,” the fake Chrome error message reads.
According to BleepingComputer, the code will then automatically download the ‘release.zip’ ZIP file, which is disguised as a Chrome update that users must install.
However, the ZIP file contains a Monero miner that will exploit the device’s CPU resources to mine the cryptocurrency for threat actors.
When launched, the malware copies itself to C:\Program Files\Google\Chrome as “updater.exe” and then launches the legitimate executable to perform process injection and run directly from memory.
According to VirusTotal, the malware uses the “BYOVD” technique to exploit vulnerabilities in the valid WinRing0x64.sys to obtain SYSTEM privileges on the device.
The miner persists by adding scheduled tasks and making Registry modifications while excluding itself from Windows Defender.
Furthermore, it stops Windows Update and interferes with security product communication with the server by changing the last IP address in the HOSTS file. This blocks updates and threat detection and can even disable AV altogether.
Although some hacked websites are in Japanese, NTT warns that the inclusion of new languages may indicate that threat actors plan to expand their targeting, making the impact of this campaign even greater.
Therefore, internet users are urged never to install security updates for software installed on third-party sites, only install them from the software developer or through automatic updates included in the program.
Users should also be cautious about clicking on unknown links and downloading files from untrusted sources. It is always best to stay vigilant and keep software up-to-date to prevent becoming a victim of such cyber-attacks.
