An NTT security analyst spotted a campaign that exploits a fake Google Chrome update error screen to distribute malware. The campaign gained traction in February 2023, with confirmed malware downloads reported across various targets. In this article, we provide an overview of the attack campaign.

Diving into details

The attack campaign begins with the compromise of websites, where malicious JavaScript code is injected to execute scripts upon user visitation.
  • The scripts download extra scripts that are determined based on if the visitor is the target audience.
  • Pinata IPFS service is leveraged to deliver the malicious scripts, obfuscating the origin server hosting the files and evading blocklisting efforts.
  • When a targeted visitor accesses the compromised site, a fake Google Chrome error screen is displayed, claiming that a required automatic update has failed to install.

What happens next

The scripts, mentioned above, automatically download a ZIP file pretending to be a Chrome update. However, this file deploys a Monero miner to conduct cryptomining.  
  • The malware uses the BYOVD technique to abuse a bug in WinRing0x64.sys to gain system privilege access.
  • The Monero miner, furthermore, obstructs Windows Update and interferes with security products' communication to their servers by tampering with the IP addresses in the HOSTS file. 
  • This obstructs updates and threat detection, and can potentially disable antivirus software entirely.

Cryptomining on the rise

  • A cryptojacking campaign, named Color1337, was found targeting Linux machines. It uses a Monero mining botnet that can laterally move across the network. 
  • Another distinct malvertising campaign was launched against Portuguese users to pilfer their cryptocurrency. It was discovered using a new clipper malware - CryptoClippy. The campaign has, so far, targeted manufacturing, IT, and real estate organizations.

The bottom line

Cryptomining is not new, nor is the abuse of Google Chrome and other legitimate software. Therefore, it is recommended to avoid the installation of security updates via third-party sites and watch for fake error notifications. The impact of the current campaign is widespread and poses a severe risk to organizations.
Cyware Publisher

Publisher

Cyware