Researchers detect a new malware campaign that uses a web page with fake Google Chrome error screens, and the campaign actively distributing malware since Feb 2023.
With the help of social engineering techniques, threat actors trick victims into executing the malware on the system. In this case, several Japanese websites are compromised to distribute the malware.
The Malware eventually drops a Monero miner with the function of the following:
- Copy itself to C:\Program Files\Google\Chrome under the name updater.exe
- Launch legitimate conhost.exe and process injection
- Persisted using task scheduler and registry
- Windows Defender exclusion settings
- Stop services related to Windows Update
- Interfering with communication of security products by rewriting the Hosts file.
Malware Infection Process:
Attackers compromised and defaced several legitimate websites, and the malicious code was injected with the help of the following parameters.
The link has a mtizndu2 parameter and is supposed to be a lowercase MTIzNDU2 base 64 encoded version of 123456.
The following code has using for this attack:
Attackers also used a Cookie key (c122eba0264bfd7e383f015cecf59fbd) for access control, and the MD5 value is “yagamilight” for the same.
The Zip file is named as ” chromium-patch-nightly” and pretends to be a patch update for Chrome.
The language of the fake error screen displayed varies depending on the website to be defaced. In addition to Japanese, SOC has confirmed Spanish and Korean and supports multiple languages. Researchers said.
Researchers believe that some of the websites that have been defaced include Japanese websites, and the impact is widespread and serious. It may continue in the future, so be careful.
Building Your Malware Defense Strategy – Download Free E-Book