Fake browser updates found delivering a variety of malware in a recent campaign

• When the users open a browser, they are shown a message box that says it is an ‘Update Center’ for their browser type.
• Once the users are convinced and click on the ‘Update’ button, it takes them to some compromised third-party site which contains EXE and ZIP files.

A new malicious campaign that leverages fake browsers updates has been spotted recently. The campaign is used to deliver a variety of malware onto a victim’s machine.

What is the issue - According to Sucuri’s researchers, the attackers are injecting scripts that push fake browsers updates onto visitors’ site. When the users open a browser, they are shown a message box that says it is an ‘Update Center’ for their browser type.

The message in the box reads - “A critical error has occurred due to the outdated version of the browser. Update your browser as soon as possible.” To make it look less suspicious, the message comes with some critical remarks. The fake browser update suggests the users to download and install the update to avoid loss of personal and stored data; confidential information leaks; and browser errors.

Once the users are convinced and click on the ‘Update’ button, it takes them to some compromised third-party site which contains EXE and ZIP files. These files are nothing but the malicious files that deliver ransomware and other malware onto the victims’ systems.

How does it work - Sucuri’s researchers claim that “hackers inject either links to an external script or inject the whole malicious script into the hacked web pages.” Some of the examples of external script links used in the campaign are:

• hxxps[:]//wibeee.com[.]ua/wp-content/themes/wibeee/assets/css/update.js
• hxxp[:]//kompleks-ohoroni[.]kiev[.]ua/wp-admin/css/colors/blue/update.js
• hxxp[:]//quoidevert[.]com/templates/shaper_newsplus/js/update.js

The ‘update.js’ file seen in each of the links contains an obfuscated script that creates the fake browser update overlay window. Lately, the researchers have come across a few more payload links during their investigation.

“At some point, instead of links to external scripts, hackers injected the complete malicious JavaScript code at the bottom of the infected web pages. The injected code is quite massive (90+ Kb). To hide it, hackers add 70+ empty lines in hopes that the webmaster will stop browsing the code after seeing an empty screen,” researchers added.

Android version - The most recent version of the fake browser malware is being delivered for Android devices. VirusTotal, the virus and malware scanning service, scanned one of the APK files and found a banking malware which is very similar to that delivered in ‘Fake Google reCAPTCHA’ phishing campaign.