Image: pureinfotech

Google Chrome is abused to deliver malware as ‘legit’ Win 10 app

Image: pureinfotech

Malware distributed via a hacked website on Chrome browsers can infect systems and steal sensitive data like credentials and bitcoin by bypassing User Account Controls.

Crooks behind a newly discovered malware campaign are targeting Windows 10 with malware that may infect devices using a technique called User Account Control that successfully overcomes Windows cybersecurity measures (UAC).

Rapid7 researchers recently discovered the campaign and warn that the attackers’ goal is to extract sensitive data and cryptocurrency from the affected PC.

Andrew Iwamaye, Rapid7 research analyst, said that the malware maintains persistence on PC “by abusing a Windows environment variable and a native scheduled task to ensure it persistently executes with elevated privileges.”

The assault chain begins when a Chrome browser user visits a malicious website and is prompted to take action by a “browser ad service,” according to Iwamaye in a blog post published Thursday. As of this writing, inquiries about what the researcher refers to as a “browser ad service” have gone unanswered.

The attackers’ ultimate goal is to steal data such as browser credentials and bitcoin using the info-stealer virus. Other malicious behaviour includes obstructing browser updates and establishing system settings conducive to the execution of unauthorised commands.

Researchers discovered that attackers are delivering the malicious payload via a compromised website that has been specially built to exploit a version of Chrome (running on Windows 10) browser. Before the first infection, investigations into infected individuals’ Chrome browser history files revealed redirection to a number of strange domains and other peculiar redirect chains, according to Iwamaye.

“In the first investigation, the user’s Chrome profile revealed that the site permission settings for a suspicious domain, birchlerarroyo[.]com, were altered just prior to the redirects,” he wrote. “Specifically, the user granted permission to the site hosted at birchlerarroyo[.]com to send notifications to the user.”

Researchers discovered that displayed a browser message requesting permission to show notifications to the user after additional investigation. This, together with a reference to a suspicious JavaScript file in its source code, led the Rapid7 team to believe it had been hacked, according to Iwamaye.

According to the research, it’s unclear why or how a user might be persuaded to allow the site to make notification requests via the Chrome browser. The browser user was warned that their Chrome web browser needed to be updated once alerts were enabled. They were directed to a “convincing Chrome-update-themed webpage” after that.

The malicious Chrome browser update was connected to an MSIX type file, which is a Windows programme package. The MSIX file was named “oelgfertgokejrgre.msix” and was hosted on the chromesupdate[.]com domain. Researchers from Rapid7 confirmed that the file was a Windows application bundle.

For various reasons, the fact that the malicious payload was a Windows programme file is critical.

“The malware we summarized in this blog post has several tricks up its sleeve. Its delivery mechanism via an ad service as a Windows application (which does not leave typical web-based download forensic artifacts behind), Windows application installation path, and UAC bypass technique by manipulation of an environment variable and native scheduled task can go undetected by various security solutions or even by a seasoned SOC analyst,” Iwamaye wrote.

The researcher further explained:

“Since the malicious Windows application package installed by the MSIX file was not hosted on the Microsoft Store, a prompt is presented to enable installation of sideload applications, if not already enabled, to allow for installation of applications from unofficial sources,” the researcher wrote.

The machine is infected and the attack begins if the malicious Chrome update is installed.

A PowerShell command spawned by an executable named HoxLuSfo.exe, which was spawned by sihost.exe, a background process that launches and maintains the Windows action and notification centres, is used in the initial step of the assault.

The objective of the command was to overcome the Disk Cleanup Utility’s UAC, which was made possible by “a vulnerability in some versions of Windows 10 that permits a native scheduled job to execute arbitrary code by altering the content of an environment variable,” according to Iwamaye.