In order to insert scripts that display false Google Chrome automatic update problems and spread malware to uninformed users, hackers compromise websites. The campaign has been running since November 2022. According to NTT’s security expert Rintaro Koike, it picked up speed after February 2023 and began to target people who spoke Japanese, Korean, and Spanish. Adult websites, blogs, news websites, and online retailers are just a few of the many websites that have been hacked as part of this malware dissemination effort.
Starting with compromised websites, the assault inserts malicious JavaScript code that runs scripts whenever a user accesses them. Depending on whether the visitor falls within the target audience, these scripts will download extra scripts. The origin server hosting the files is obscured through the Pinata IPFS (InterPlanetary File System) service, rendering blocklisting useless, and takedown attempts are resisted. The scripts will display a phony Google Chrome error box whenever a targeted visitor tries to access the site, claiming an automated update necessary to continue surfing the site was not installed.
“An error occurred in Chrome automatic update. Please install the update package manually later, or wait for the next automatic update,” reads the fake Chrome error message.
The scripts will then initiate the automated download of a ZIP file with the name “release.zip,” which is a Chrome update that the user must install. The Monero miner in this ZIP file will use the device’s CPU power to mine money for the threat actors. The malware launches by copying itself as “updater.exe” to C:\Program Files\Google\Chrome and then launching an actual application to execute process injection and run directly from memory.
VirusTotal revealed that to get SYSTEM capabilities on the device, the virus uses the “BYOVD” (bring your own vulnerable driver) approach to take advantage of a flaw in the genuine WinRing0x64.sys. The miner continues to operate by creating new scheduled jobs and altering the Registry while disabling Windows Defender. Additionally, it disables Windows Update and interferes with security software’s ability to communicate with its servers by changing the IP addresses of those servers in the HOSTS file. As a result, updates and threat detection are hampered, and an AV may even be completely disabled.
After completing all of these procedures, the miner connects to xmr.2miners[.]com and begins mining Monero, a cryptocurrency that is difficult to track. NTT cautions that although some of the websites defaced are in Japanese, the recent addition of other languages may suggest that the threat actors intend to broaden their target audience. If this is the case, the campaign’s effect may soon increase. Always download security updates for installed software from the product’s creators or through built-in automated updates rather than from third-party websites.
