Hackers drop backdoor onto victim’s systems with fake Google Chrome update

News by Rene Millman

Hackers have compromised WordPress-based websites of corporate sites and news blogs to plant backdoors onto victim’s systems. Compromised websites redirect victims to phishing sites.

Hackers have compromised WordPress-based websites of corporate sites and news blogs to plant backdoors onto victim’s systems.

According to a blog post by researchers a Dr. Web, JavaScript script embedded in the hacked pages code redirects visitors to a phishing site where they are prompted to install an important security update for the Chrome browser. So far, 2000 people have fallen for the fake update.

The update is in fact a piece of malware that enables hackers to remotely access and control the infected computers. Upon launching the fake update, the malware creates a folder in the %userappdata% directory that contains files for the TeamViewer remote control application and unpacks two password protected SFX archives. One archive contains two components: a malicious msi.dll library, which allows one to establish an unauthorised connection to an infected computer and a batch file for launching the Chrome browser with Google[.]com start page.

The backdoor can be used to deliver payload modules with malware to infected devices, such as: the X-Key keylogger, the Predator The Thief stealer, and a trojan for remote control over the RDP protocol.

"Target selection is based on geolocation and browser detection. The target audience is users from the USA, Canada, Australia, Great Britain, Israel, and Turkey, using the Google Chrome browser," said researchers. "It is worth noting that the downloaded file has a valid digital signature identical to the signature of the fake NordVPN installer distributed by the same criminal group."

Simon Jelley, VP, product management, at Veritas, told SC Media UK that this highlights the challenges of trying to protect your data by solving for each and every individual threat and vulnerability. In the case of this latest vulnerability, where the differences between a safe and unsafe document are invisible to the human eye, no amount of employee education is going to help them to identify the threat.

“Employee education should be a key element of any ransomware protection strategy but, just as with homoglyph attacks - where links and email addresses are spoofed with characters that look identical to trusted domains - if a business’ only protection is employee detection, they can, and likely will, end up losing data,” he said.

Chris Bates, VP security strategy at SentinelOne, told SC Media UK that organisations should ensure that browsers’ anti-phishing preferences are turned on.

“It’s not uncommon for users to uncheck this option, and it’s trivial for malware to disable it without user permission. Depending on your browser, the setting can be found in various places and with various names. For Chrome and Chromium browsers, they are typically under Advanced or Privacy and will be called something like “Safe Browsing” or “Phishing and Malware Protection”,” he said.

“Poor spelling and grammar errors in emails and other messages are always a red flag, so get into the habit of looking closely at the text that contains links. Hover over any links before clicking them to see where they really lead.” 

Fabian Libeau, EMEA VP at RiskIQ, told SC Media UK that the trick to remaining safe is through extensive knowledge and visibility of the organisation’s web-facing digital assets and their underlying JavaScript, regardless of whether it was developed by the organisation or loaded from a third-party provider as a service. 

“As this code executes on the user machine, seeing the world through the eyes of the user can highlight malicious changes that would otherwise go unnoticed. However, organisations choose to defend themselves, a certainty is that as JavaScript threats continue their inevitable advance, and the complacent will be punished,” he said.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews