CTAs Leveraging Fake Browser Updates in Malware Campaigns

By: The Center for Internet Security^® (CIS^®) Cyber Threat Intelligence (CTI) team at the Multi-State Information Sharing and Analysis Center^® (MS-ISAC^®)

Published February 8, 2024

The Center for Internet Security^® (CIS^®) Cyber Threat Intelligence (CTI) team at the Multi-State Information Sharing and Analysis Center^® (MS-ISAC^®) assesses with moderate confidence that malware using fake browser updates and subsequent secondary exploitation will continue to affect U.S. State, Local, Tribal, and Territorial (SLTT) government organizations. These opportunistic campaigns succeed by taking advantage of end-user trust in websites they visit.

Specifically, the MS-ISAC observed SocGholish and other similar malware leveraging fake browser updates for initial access. It also saw malware operators using fake browser updates dropping similar secondary payloads, such as the NetSupport remote access tool.

A Rise in Malware Using Fake Browser Updates

In the second half of 2023, cyber threat actors (CTAs) increasingly engaged in opportunistic malware campaigns using fake browser updates. When a victim visits a compromised website, the malware generates a fake browser update tailored to the browser the victim uses, such as Google Chrome, as shown in Figure 1.

Fake browser updates use JavaScript and HTML to control traffic and deliver malware onto the victim’s system. This technique allows the CTA to take advantage of end user cybersecurity awareness training that instills trust in known websites to infect the victim’s system. In security training, end users often receive instructions to trust only websites they know and use as well as click only on links or accept updates from trusted sources.

 

Figure 1: An example of a fake browser update for Google Chrome

As shown in Figure 2, the MS-ISAC observed a rapid increase in SLTT member Albert Network Monitoring and Management (Albert) alerts related to this type of threat activity.

 

Figure 2: Total Albert alerts for malware using fake browser updates (Source: CTI team)

Three Downloaders Using the Initial Access Technique

The MS-ISAC saw increases in activity from three downloaders – SocGholish, RogueRaticate, and ClearFake – using the initial access technique discussed above between July 2023 and October 2023. Downloaders are a type of malware whose main purpose is to gain initial access to a system to install additional malware or other CTA tools. Although this activity decreased in November, these campaigns continue to affect SLTT entities.

The most prominent malware during the reporting period were SocGholish and RogueRaticate, with ClearFake comprising only one percent of this malicious activity.

• SocGholish is a downloader written in JavaScript which is distributed through malicious or compromised websites. SocGholish uses fake software updates, specifically browser updates, to trick users into downloading the malware. The malware uses multiple methods for traffic redirection and payload delivery. After initial infection, the CTAs use Cobalt Strike, leverage PowerShell, and steal information from the victim’s system. Additionally, SocGholish infections can lead to further exploitation, such as by the NetSupport remote access tool, AsyncRAT, and ransomware in some cases.
• RogueRaticate has many similarities to the SocGholish campaign. The malware is a downloader written in JavaScript that is distributed in the same manner as SocGholish. The RogueRaticate payload is an HTML application file that is zipped or downloaded as a shortcut file. RogueRaticate, like SocGholish, uses PowerShell leading to additional exploitation, specifically by the NetSupport remote access tool.
• ClearFake is a newer malware discovered in August 2023 that injects base64-encoded scripts to HTML of compromised websites. ClearFake also uses PowerShell and loads additional malware such as Lumma Stealer, Redline, and Racoon v2.

Additional Exploitation from Fake Browser Updates

As described above, fake browser updates pushing SocGholish, RogueRaticate, ClearFake, and other malware campaigns aim to download or drop additional payloads onto the victim’s system. These payloads include other malware variants or legitimate remote access tools. Figure 3 shows a steady increase in the number of alerts for these secondary payloads in conjunction with the rise in the malware mentioned above.

Figure 3: Total Albert alerts for secondary payloads dropped by fake browser update malware (Source: CTI team)

Between July 2023 and November 2023, the MS-ISAC observed increases in three secondary payloads. The most prominent was the NetSupport remote access tool, followed by AsyncRAT and Lumma Stealer.

• The NetSupport remote access tool is a legitimate tool used by IT professionals to provide remote technical support. Over time, CTAs began using this tool to gain remote access to systems to either drop additional malware or steal information. Once downloaded onto the system, CTAs can access and transfer files, change computer settings, conduct reconnaissance, and move laterally throughout the network.
• The AsyncRAT remote access tool is a legitimate open-source tool used by IT professionals to provide remote monitoring capabilities. Like NetSupport, CTAs have used AsyncRAT for malicious purposes. CTAs use this tool to monitor the victim’s computer through screen viewer/recorder and keylogger features. Additional capabilities such as transferring files, changing computer settings, and password recovery allow CTAs to conduct reconnaissance, move laterally throughout the network, steal credentials and other information, and download additional malicious tools or malware.
• Lastly, Lumma Stealer is an infostealer malware sold on the dark web. It makes up a small percentage of secondary malicious activity seen by the MS-ISAC. Lumma Stealer targets personally identifiable information, such as credentials, cookies, and banking information. Additionally, it has numerous defense evasion capabilities, including detecting whether the infected system is a virtual environment, detecting user activity on the system, and encrypting its executable to prevent reverse engineering.

Strengthen Your Defenses Against Fake Brower Updates

The MS-ISAC recommends the following actions to improve network defenses and guard against malware disguised as fake browser updates.

• Provide employee training to protect against social engineering techniques and to encourage employees to report any suspicious activity to the security team.
• Perform regular antivirus scans of systems and ensure those applications remain up to date, which is recommended in Control 10 of the CIS Critical Security Controls^® (CIS Controls^®).
• Consider the use of an add-on ad blocker to block fake browser updates.
• Sign up for Malicious Domain Blocking and Reporting (MDBR), an MS-ISAC member service which proactively blocks an organization’s network traffic from connecting to known harmful web domains. CIS Control 9 recommends blocking of known malicious domains or subscribing to a DNS filtering service to block attempts to access malicious domains at the network level.
• Implement an Endpoint Detection and Response (EDR) solution. EDR can help you mitigate malicious file execution by blocking unauthorized activities at the endpoint (e.g., host, server), which is recommended in CIS Control 10. If your organization is not using EDR, ensure you have enabled process tracking and command-line auditing within the security policy.
• Employ a Network Intrusion Detection System (NIDS). Albert is an MS-ISAC solution that leverages a high-performance network intrusion detection system (NIDS) engine and provides you with both traditional and advanced network threat security alerts to help you in identifying and reporting malicious events. CIS Control 10 recommends the use of NIDSes.
• Use Application Allowlists. Application allowlists are recommended in CIS Control 2. They enable your organization to actively manage (inventory, track, and correct) all software on the network so that only authorized software is allowed to install or execute.
• Implement/Enforce the Principle of Least Privilege, which is recommended in CIS Control 6.
• Implement/Enforce PowerShell Signed Scripts, which are recommended in CIS Control 2.
• Ensure adequate logging is in place, which is recommended in CIS Control 8 – particularly for PowerShell such as Transcript, Module, and Script Block logging.
• Sign up for the MS-ISAC Indicator Sharing Program. The Indicator Sharing Program offers several services to MS-ISAC members of varying cybersecurity needs and capabilities, including CTI Lists, STIX/TAXII, the Malware Information Sharing Platform (MISP), and our MDBR service. The MS-ISAC encourages all SLTTs to reach out to [email protected] for assistance connecting to one or all of our sharing services.

Indicators of Compromise

The MS-ISAC shares the following list of indicators of compromise (IOCs), which are sourced from MS-ISAC data and open-source research, to help you in detecting and preventing infections from the malware and secondary payloads mentioned in this blog post. These threats frequently shift C2 infrastructure, so the IP addresses and domains listed below may not represent active infrastructure but can aid threat hunting. Additionally, this list is not exhaustive of all IP addresses and domains observed in open-source reporting.

SocGholish

SHA256 Hashes

8bdc4c1cd197808056e50b8b958acd380bf8a69b63aedef3f9854173c6714b32
3fb9740940d44eef823b7ff17f0274a12345a6f238cf46a1133a9e39c7b97c62

RogueRaticate

SHA256 Hashes

1d9900c8dbaa47d2587d08b334d483b06a39acb27f83223efc083759f1a7a4f6
08d9df800127f9fb7ff1a246346e1cf5cfef9a2521d40d6b2ab4e3614a19b772

ClearFake

SHA256 Hashes

37bba90d20e429ce3fd56847e4e7aaf83c62fdd70a7dbdcd35b6f2569d47d533
ab282db6f1fc4b58272cef47522be19d453126b69f0e421da24487f54d611b2f

IP Addresses

109[.]248[.]206[.]49
109[.]248[.]206[.]83
109[.]248[.]206[.]101
109[.]248[.]206[.]118
109[.]248[.]206[.]196
135[.]181[.]211[.]230

Domains

21hapudyqwdvy[.]com
98ygdjhdvuhj[.]com
adqdqqewqewplzoqmzq[.]site
bgobgogimrihehmxerreg[.]site
boiibzqmk12j[.]com
bookchrono8273[.]com
borbrbmrtxtrbxrq[.]site
bpjoieohzmhegwegmmuew[.]online
brewasigfi1978[.]workers[.]dev
cczqyvuy812jdy[.]com
ewkekezmwzfevwvwvvmmmmmmwfwf[.]site
gkrokbmrkmrxtmxrxr[.]space
indogervo22tevra[.]com
indogevro22tevra[.]com
ioiubby73b1n[.]com
kjniuby621edoo[.]com
komomjinndqndqwf[.]store
lminoeubybyvq[.]com
nbvyrxry216vy[.]com
ngvcfrttgyu512vgv[.]net
nmbvcxzasedrt[.]com
oekofkkfkoeefkefbnhgtrq[.]space
oiouhvtybh291[.]com
oiqwbuwbwqznjqsdfsfqhf[.]site
oiuugyfytvgb22h[.]com
oiuytyfvq621mb[.]org
ojhggnfbcy62[.]com
omdowqind[.]site
ooinonqnbdqnjdnqwqkdn[.]space
opkfijuifbuyynyny[.]com
opmowmokmwczmwecmef[.]site
owkdzodqzodqjefjnnejenefe[.]site
pklkknj89bygvczvi[.]com
poqwjoemqzmemzgqegzqzf[.]online
pwwqkppwqkezqer[.]site
reedx51mut[.]com
sioaiuhsdguywqgyuhiqw[.]org
sioaiuhsdguywqgyuhuiqw[.]org
stats-best[.]site
ug62r67uiijo2[.]com
vcrwtttywuuidqioppn1[.]com
vvooowkdqddcqcqcdqggggl[.]site
weomfewnfnu[.]site
wffewiuofegwumzowefmgwezfzew[.]site
wnimodmoiejn[.]site
wsexdrcftgyy191[.]com
ytntf5hvtn2vgcxxq[.]com
zasexdrc13ftvg[.]com
ziucsugcbfyfbyccbasy[.]com
znqjdnqzdqzfqmfqmkfq[.]site

NetSupport

SHA256 Hashes

c5c974b3315602ffaab9066aeaac3a55510db469b483cb85f6c591e948d16cfe
8c9cd7a1ac6d4cbc641b31a3c55fde5e0e5a48c9bdaf71a59a2c4c9fd98ff9e7
213af995d4142854b81af3cf73dee7ffe9d8ad6e84fda6386029101dbf3df897
89f0c8f170fe9ea28b1056517160e92e2d7d4e8aa81f4ed696932230413a6ce1
28208baa507b260c2df6637427de82ad0423c20e2bceceb92ba5d76074dcd347
3c072532bf7674d0c5154d4d22a9d9c0173530c0d00f69911cdbc2552175d899
f4e2f28169e0c88b2551b6f1d63f8ba513feb15beacc43a82f626b93d673f56d
000f7d5189396b90d242461e9b9759e972d06a90277b906587a7096a7ad0c355
38684adb2183bf320eb308a96cdbde8d1d56740166c3e2596161f42a40fa32d5     
fedd609a16c717db9bea3072bed41e79b564c4bc97f959208bfa52fb3c9fa814
b6b51f4273420c24ea7dc13ef4cc7615262ccbdf6f5e5a49dae604ec153055ad
176aa94a3c6a58d937b1678a15c120b02a9df06770886fd73c4d42d1b38371e3

URLs

hxxps://magydostravel[.]com/cdn/zwmrqqgqnaww[.]php

Domains

Sdjfnvnbbz[.]pw
arauas[.]com

IP Addresses

91[.]219[.]150[.]64

AsyncRAT

SHA256 Hashes

83c96c9853245a32042e45995ffa41393eeb9891e80ebcfb09de8fae8b5055a3
0159bd243221ef7c5f392bb43643a5f73660c03dc2f74e8ba50e4aaed6c6f531
f123c1df7d17d51115950734309644e05f3a74a5565c822f17c1ca22d62c3d99
19402c43b620b96c53b03b5bcfeaa0e645f0eff0bc6e9d1c78747fafbbaf1807
34cb840b44befdd236610f103ec1d0f914528f1f256d9ab375ad43ee2887d8ce
1c3d5dea254506c5f7c714c0b05f6e2241a25373225a6a77929e4607eb934d08
83b29151a192f868362c0ecffe5c5fabe280c8baac335c79e8950fdd439e69ac

URLs

hxxp://45.12.253[.]107:222/f[.]txt
hxxp://45.12.253[.]107:222/j[.]jpg

Lumma Stealer

SHA256 Hashes

8bdc4c1cd197808056e50b8b958acd380bf8a69b63aedef3f9854173c6714b32
3fb9740940d44eef823b7ff17f0274a12345a6f238cf46a1133a9e39c7b97c62

Domains

chouside[.]pw
taretool[.]pw

MITRE ATT&CK Patterns Observed

The MITRE ATT&CK Patterns are based on the open-source reporting listed in the reference section at the end of this blog post.

Initial Access

T1189 Drive-by Compromise

Execution

T1024.001 User Execution: Malicious File
T1059.007 Command and Scripting Interpreter: JavaScript
T1059.001 Command and Scripting Interpreter: PowerShell
T1106 Native API

Persistence

T1053.005 Scheduled Task/Job: Scheduled Task
T1547.001 Boot or Logon AutoStart Execution: Registry Run Keys/Startup Folder

Privilege Escalation

T1055 Process Injection

Defense Evasion

T1027 Obfuscated Files or Information
T1132.001 Data Encoding: Standard Encoding
T1036 Masquerading
T1140 Deobfuscate/Decode Files or Information
T1497.001 Virtualization/Sandbox Evasion: System Checks
T1564.003 Hide Artifacts: Hidden Window
T1622 Debugger Evasion

Credential Access

T1056.001 Input Capture: Keylogging
T1539 Steal Web Session Cookie
T1555.003 Credential from Password Stores: Credentials from Web Browsers

Discovery

T1033 System Owner/User Discovery
T1057 Process Discovery
T1082 System Information Discovery

Collection

T1005 Data from Local System
T1056.001 Keylogging 
T1074.001 Data Staged: Local Data Staging
T1113 Screen Capture
T1125 Video Capture

Command and Control

T1071.00. Application Layer Protocol: Web Protocols
T1105 Ingress Tool Transfer
T1568 Dynamic Resolution

Exfiltration

T1041 Exfiltration Over C2 Channel

References

1. https://blogs.vmware.com/security/2023/11/netsupport-rat-the-rat-king-returns.html
2. https://github.com/NYAN-x-CAT/AsyncRAT-C-Sharp
3. https://www.proofpoint.com/us/blog/threat-insight/are-you-sure-your-browser-date-current-landscape-fake-browser-updates
4. https://blog.sekoia.io/clearfake-a-newcomer-to-the-fake-updates-threats-landscape/#h-malware-delivered-by-clearfake
5. https://www.mcafee.com/blogs/other-blogs/mcafee-labs/unmasking-asyncrat-new-infection-chain/ 
6. https://attack.mitre.org/software/S1087/