Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Thursday October 03 2019, @01:16PM   Printer-friendly
from the hate-to-see-it dept.

Arthur T Knackerbracket has found the following story:

Attackers are utilizing hacked web sites that promote fake browser updates to infect targets with banking trojans. In some cases, post exploitation toolkits are later executed to encrypt the compromised network with ransomware.

Between May and September 2019, FireEye has conducted multiple incident response cases where enterprise customers were infected with malware through fake browser updates.

Hacked sites would display these "fakeupdates" through JavaScript alerts that state the user is using an old version of a web browser and that they should download an offered "update" to keep the browser running "smoothly and securely".

When the update button is clicked, the site will download either an HTML application (HTA), JavaScript, or Zip archives with JavaScript files.

When the downloaded file is executed, a malicious script would be launched that gathers information about the computer and sends it back to the attacker's command and control server.

The server would then respond with an another script that would be executed on the victim's machine to download and install malware. The researchers at FireEye state that they observed malware such as Dridex, NetSupport Manager, AZORult, or Chthonic being installed on the victim's machines.

"The backdoor and banking-trojan payloads described above have been identified as Dridex, NetSupport Manager RAT, AZOrult, and Chthonic malware. The strategy behind the selective payload delivery is unclear; however, the most prevalent malware delivered during this phase of the infection chain were variants of the Dridex backdoor."

In addition to the information being stolen by banking Trojans, the script would also use the freeware Nircmd.exe tool to generate two screenshots of the current desktop, which are then also uploaded to the C2.

Similar to how Ryuk utilizes Trickbot, FireEye observed that Dridex would be used to install the BitPaymer or DoppelPaymer ransomware on a victim's network.

[...] Both BitPaymer and DoppelPayment are well know for requesting huge ransomware when they are able to compromise many computers on a network. For example, there are known cases where DoppelPaymer has demanded ransom ranging from $80K USD to over $2 million.

This would allow them to potentially generate huge ransoms from a compromised network that has already been squeezed dry of data to harvest.


Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 3, Funny) by Runaway1956 on Thursday October 03 2019, @03:39PM (4 children)

    by Runaway1956 (2926) Subscriber Badge on Thursday October 03 2019, @03:39PM (#902314) Journal

    I was considering updating my fake browser. Having read this article, I'll just keep my fake browser undated.

    • (Score: 0) by Anonymous Coward on Thursday October 03 2019, @08:18PM (2 children)

      by Anonymous Coward on Thursday October 03 2019, @08:18PM (#902418)

      Yes, we wouldn't want Infect Enterprises to miss an update and Fake Browser is essential for that.

      • (Score: 2, Insightful) by anubi on Thursday October 03 2019, @10:55PM (1 child)

        by anubi (2828) on Thursday October 03 2019, @10:55PM (#902464) Journal

        I find it easier to find another vendor than to reconfigure my system over the whim of some corporate webmaster.

        I use a lot of older, and deliberately crippled technology to hinder malware.

        Amazon works fine. So does eBay. However many corporate websites do not.

        So, while corporate sites tell me to upgrade to something their trackers want, my response to their browser upgrade demand is a query to AliExpress, Amazon, eBay, Rock Auto, or a few more I have bookmarked who do not constantly trip off my malware avoidance systems.

        --
        "Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
        • (Score: 0) by Anonymous Coward on Friday October 04 2019, @04:22AM

          by Anonymous Coward on Friday October 04 2019, @04:22AM (#902546)

          For a lot of businesses, it is a one in a million chance that you clicked on their link.

          It's a shame they used it to encourage you to go somewhere else.

    • (Score: 0) by Anonymous Coward on Friday October 04 2019, @08:29PM

      by Anonymous Coward on Friday October 04 2019, @08:29PM (#902782)

      Usually a good idea not to date fakes.

  • (Score: 1, Interesting) by Anonymous Coward on Thursday October 03 2019, @04:11PM (1 child)

    by Anonymous Coward on Thursday October 03 2019, @04:11PM (#902334)

    I first saw one of these quite a few weeks ago, maybe a couple months. Looks like someone is capitalizing well on the "Yeah, we don't support that browser..." movement.

    • (Score: 4, Insightful) by Anonymous Coward on Thursday October 03 2019, @10:51PM

      by Anonymous Coward on Thursday October 03 2019, @10:51PM (#902459)

      This is one reason UIs are considered worse than before. Initially, software would notify you of something in a manner which embedded components couldn't duplicate. Nowadays, there's no way to tell the difference between a browser generated notification and a webpage notification. Hell, even program settings are displayed as a webpage which makes it trivial for malware to duplicate the exact same screens and mess with you.

      I would like to give a big fuck you to the google developers who on their own decided to start pushing the "Use this better piece of software or else bad things will happen to you" banners you now see everywhere. Once that google team started doing it, everyone copied them thinking it was now an okay thing to do. It wasn't and still isn't.

(1)