Compromised websites are being used to trick users into thinking they have outdated web browser or Flash Player software, thanks to a crafty malware campaign discovered by Malwarebytes.
The ‘FakeUpdates campaign’ has been around since at least December 2017. It works by enslaving websites’ content management systems, and researchers suspect attackers are using outdated websites to spread malicious code, although this hasn’t been completely confirmed.
The malicious code triggers redirect URLs that point to a fake browser update page (Google Chrome, Mozilla Firefox, and Internet Explorer), as well as a fake Flash Player update.
“The decoy pages are hosted on compromised hosts via sub-domains using URIs with very short life spans. Some of those domains have a live (and legitimate website) whereas others are simply parked,” comments researcher Jérôme Segura.
The file collect information about the target system including BIOS, MAC address, processes, manufacturer, and its architecture.
Upon successful infection, the process delivers callbacks to its command & control server. The payload is both digitally signed and uses evasion techniques to defeat sandboxes.
One particular sample delivered a variant of the ZeusVM malware called Chtonic. The malware has been around since at least 2014.
Another malware sample downloaded a Remote Access Trojan called NetSupport Remote Access Tool.
“Once again, we noticed the heavy use of obfuscation throughout the delivery of this program that can be used for malicious purposes (file transfer, remote Desktop, etc),” Segura comments.
He says that the campaign uses social engineering and the abuse of a legitimate file hosting service. Because the bait file uses a script rather than an executable, attackers can find different ways to hide the malware.
“Compromised websites were abused to not only redirect users but also to host the fake updates scheme, making their owners unwitting participants in a malware campaign. This is why it is so important to keep Content Management Systems up to date, as well as use good security hygiene when it comes to authentication,” Secura concludes.