Researchers Warn of Increased Malware Delivery via Fake Browser Updates

Cyber Security Threat Summary:
Researchers from Sekoia have released details on a new campaign from the threat group behind SocGholish. This latest activity leverages compromised WordPress sites to push malicious fake browser updates. The campaign, which has been called ClearFake, injects Javascript into compromised WordPress websites so that it downloads another Javascript payload from an attacker controlled domain.

Specifically, the downloaded payload creates an iframe element to display a fake update interface. iframe works by displaying the contents of another website outside the current HTML page. When the victim visits the compromised website, they are shown a fake update page for Chrome, Edge, or Firefox, claiming they must update their browser to view the content of the page.

According to Proofpoint researchers, the fake update pages are served in different languages (English, French, German, Spanish, and Portuguese), depending on the users’ browser’s set language. Users who click the download button, will receive a legitimate browser installer paired with various malware strains like HijackLoader or IDAT loader. “HijackLoader implements several evasion techniques, including code injection, use of syscalls, Windows API hashing and Heaven’s gate. In recent months, HijackLoader delivered numerous commodity malware, including Danabot, Lumma, Raccoon, Redline, Remcos, SystemBC and Vidar,” Sekoia researchers shared.

Security Officer Comments:
A watering hole attack is a targeted attack designed to compromise users within a specific industry or group of users by infecting websites they typically visit and luring them to a malicious site. Using compromised websites in a watering hole attack, the fake updates lure helps the ClearFake operators target a wide range of users. “While Proofpoint does not attribute the ClearFake activity to a known actor, Sekoia researchers believe it might be the same one that’s behind SocGholish: “The tactics, techniques and procedures leveraged by the ClearFake operators overlap with those of SocGholish ones (tracked as TA569), in particular the use of watering holes, ‘fake updates’ lures, Keitaro traffic distribution system, Dropbox file hosting service and the masquerading of filename with cyrillic characters” (Help Net Security, 2023). Regardless if SocGhoulish actors are behind this campaign, these tactics are not new, other threat actors have leveraged the fake updates lure in other campaigns including: RogueRaticate/FakeSG and the ZPHP/SmartApeSG campaigns.

Suggested Correction(s):
Organizations can protect their users from watering hole attacks by using web gateways that block websites that match a known signature or have a bad reputation. For more sophisticated attacks, defense may involve dynamic malware analysis solutions that are able to check for malicious behavior on websites that a users browses to.

Some watering hole attacks may begin with email lures. Some email solutions can apply similar dynamic malware analysis at the time of email delivery and at click-time by the users. Additionally, users should follow general phishing best practices.

  • Do not open emails or download software from untrusted sources
  • Do not click on links or attachments in emails that come from unknown senders
  • Do not supply passwords, personal, or financial information via email to anyone (sensitive information is also used for double extortion)
  • Always verify the email sender's email address, name, and domain
  • Backup important files frequently and store them separately from the main system
  • Protect devices using antivirus, anti-spam and anti-spyware software
  • Report phishing emails to the appropriate security or I.T. staff immediately