The prime target of this malware campaign is unsuspecting users on Windows 10.
Rapid7 Managed Detection and Response team has shared details of their newly identified malware campaign, urging unsuspecting Windows users to remain cautious. This campaign is designed to steal sensitive data and cryptocurrency from infected PCs.
In the latest campaign, the attackers install the payload as a Windows application after it is delivered to the device through a compromised website on Google Chrome ad service and bypasses the UAC (User Account Control), the exclusive cybersecurity protection in Windows OS.
It is worth noting that Windows 10 is the primary target of malware operators.
“Attackers are using a compromised website specially crafted to exploit a version of the Chrome browser (running on Windows 10) to deliver the malicious payload, researchers found. Investigations into infected users’ Chrome browser history file showed redirects to several suspicious domains and other unusual redirect chains before initial infection,” Rapid7 blog post read.
The first domain studied for this investigation was birchlerarroyo[.]com.
The attack chain is initiated when a user of the Chrome browser visits an infected website. The Chrome browser ad service immediately asks them to take action and update the browser. This is a malicious Chrome update linked to a Windows app package with an MSIX type file (oelgfertgokejrgre.msix).
This file is hosted on the chromesupdate[.]com domain. Researchers confirmed that this file was a Windows application package.
“Its delivery mechanism via an ad service as a Windows application (which does not leave typical web-based download forensic artifacts behind), Windows application installation path, and UAC bypass technique by manipulation of an environment variable and native scheduled task can go undetected by various security solutions or even by a seasoned SOC analyst,” Rapid7 research analyst Andrew Iwamaye wrote.
The malicious app package installed by the MSIX file isn’t hosted on the official Microsoft Store. A prompt is available to allow the installation of sideloading apps from third-party stores.
What Happens After Malware is Installed?
Once the malware is installed on a targeted device, it starts extracting sensitive user data, including credentials stored in browser or cryptocurrency, preventing browser updates and enabling command execution on the affected machine. It can also stay persistent on the device even if the malware is removed.
Iwamaye explained that to maintain persistence on the device, Infostealer abuses a “Windows environment variable and a native scheduled task to ensure it persistently executes with elevated privileges.”
Further investigation revealed that the malware gets downloaded on the PC because of a flaw in Chrome, which allowed the malware to bypass UAC.