Fake Chrome Update Malware

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

so one day you're merrily browsing the internet going through some kind of tutorial looking at a website and then boom all of a sudden you have an update for Chrome and you have to update in order to continue viewing the website and like any obedient internet user you click the update button cuz everyone knows not having an upto-date browser would be a huge security vulnerability but guess what if you actually ran this browser update what looks like a browser update you would have all of your online accounts hacked any passwords that you had saved on your system any site you were logged into all of that information would be stolen by hackers and potentially sold on the dark web so we're going to run this in a virtual machine just to show you what happens so very quickly it executes runs the command line cmd.exe and once it's done its data collection the original exe stops executing so you don't notice the detections in vars total but the command line is still running sending the data to the attackers now let's do that again in case you didn't catch it cuz it does happen really fast as you can see the setup executes it's got 39 detections apparently right now but was much lower when it first started and within a few seconds it's gone let's do that one more time just so we can catch some of the other things that are happening in those few seconds so as you can see it's establishing a TCP connection to a remote IP and this is likely the command and control infrastructure of the attacker it happens so fast you don't see it but that's your data leaving orbit with escape velocity and the best thing is it all happens so fast you wouldn't even know anything was wrong cuz there's nothing that's running on your system after it has executed as you can see there are no malicious process right now the application itself is going to terminate very quickly so even if you do notice command prompt running silently in the background it's not necessarily indication of some kind of malware infection and you wake up the next day and you can't log into your accounts anymore and that's when you realize you've been hacked now taking a slightly deeper look at the fall itself we can go into properties and if we look at the digital signatures interestingly it's signed by perform this is the company behind C cleaner and in fact if we look at the General application data it says it's Rua installer which is a legitimate program released by purform now since I have analyzed this file I also know that it installs a root certificate and Windows Defender is uh complaining about something let's see what it is so there we go Local Host it does detect the file as a Luma stealer which is an accurate detection for Windows Defender bit they say better late than never now this particular sample is um 7.8 mbes so it's not particularly hard to analyze in sites like vars to so if we check there it's got 39 detection right now but these things move fast so if you're hit on day one you may not be as lucky now a little bit more about Luma Steeler from Mal pedia so this is an information Steeler written in the SE language very close to a system that's being available as a malware as a service model so again anybody can buy it and run their own info stealing operation it's sold on Russians speaking forums and it's been there since August of 2022 so it's been over a year it's believed to be developed by a threat actor called chamelle and it targets cryptocurrency wallets so that's another thing to really look out for if you've got you know cryptocurrency be really careful how you store your wallets because people have had their entire Fortune hundreds of thousands of dollars stolen by info Stealers like this and guess what it can also steal two- Factor authentication tokens so again do not use your computer as a 2fa device the whole idea of 2fa is having two independent devices verify and I don't think a lot a lot of people realize how quick and simple a data exfiltration event can be it doesn't even have to be an exe like this one which is going to be detected which you can analyze it could be a Powershell script there are multiple ways in which this attack can take place there's some original research on this by guardio turns out it's a pretty sophisticated exploit so this is the simplified view where you visit a compromise WordPress site you have this fake browser pop up and then you have have the malevolent browser update this Begins by embedding a concealed JavaScript code which is injected into article pages and that code itself is is not the malware it simply retrieves a second stage payload from a server that is controlled by the attacker so again you might think how come nobody detects it it's because the only thing they would see would be some kind of JavaScript that just reaches out to a random IP and the actual malware is going to be hosted there and in some instances they can even use things belonging to Cloud flare Google Drive Amazon these platforms do detect abuse and they do remove malicious actors but that's how these attacks work these days it's not about one malware operation it's flashing the pen in and out really fast and the first wave of people that get hit they are the ones who lose their data and get their accounts hacked and then the attackers move on they start a new campaign with new hacked websites the infection process is actually very interesting especially if you're into blockchain and binance and by the way this is not just for Google Chrome they will show you different popups depending on the browser you're using so if you're using Microsoft Edge they're going to show you this popup for Microsoft Edge it's going to look very legitimate similarly if you're using Firefox they're going to show you this popup that looks very legitimate and just ask yourself with the average user who does not understand what different fall formats are what an exe is are they going to be able to tell that this is not a legitimate update cuz it's it's not hard to make something that matches the look and feel especially these days cuz everything looks so similar this is a list of compromised websites let's try visiting some of these so I'm going to try visiting one of these on my computer and as you can see it is blocked by guardio but it's also kind of obvious that these were all temporary domains so a lot of them have gone down however if we look at the uh compromise WordPress sites you will see that they're still up so for example example if we go to daily Angel prayers. net you could never get infected from your daily Angel prayers like nothing bad could happen from this site imagine somebody figuring out how can Angels help me and then they get an update they think it's a message from an angel okay I don't know where I'm going with this but the point is these are legitimate websites and they can be hacked and then they are restored and that is a cycle this site is probably safe now but there are probably other sites now which are active ly serving these kinds of payloads so keep an eye out for these kinds of threats and do educate people I hope you found this video informative and useful please like and share it if you did and let me know your thoughts in the comments below do you know someone who would fall for a popup like this also a big thank you to guardio for sponsoring this video and doing the amazing research guardio of course is a web extension that can protect you from fishing links scams the kinds of things that most Everyday People Are Falling for these days it can also block malware downloads and it can also protect you from getting hacked by monitoring for your stolen credentials in the dark web so for example if your credentials were stolen by Luma Steeler and being sold in a Russian hacker Forum cardio would warn you and say hey your YouTube account credentials have been leaked go ahead and change your password right away and sometimes that can really save you from being hacked because a lot of the times the malware authors Who harvest these credentials are not the ones who are hacking accounts they're separate groups so consider checking them out using the link in description thank you all so much for watching this is Leo and as always stay informed stay secure

Info

Channel: The PC Security Channel

Views: 194,705

Rating: undefined out of 5

Keywords: The PC Security Channel, TPSC, cybersecurity, cyber security, computer security, internet security, antivirus, anti malware, ransomware, trojan, virus, PUP, best antivirus, best internet security, learn cybersecurity, hacking, hack, security, technology, cyber insurance, cybersecurity degree, best EDR, EDR

Id: SxStbBwk70s

Channel Id: undefined

Length: 8min 22sec (502 seconds)

Published: Sun Oct 29 2023