Fake Browser Updates Infect Enterprises With Ransomware, Banking Trojans
Arthur T Knackerbracket has found the following story:
Attackers are utilizing hacked web sites that promote fake browser updates to infect targets with banking trojans. In some cases, post exploitation toolkits are later executed to encrypt the compromised network with ransomware.
Between May and September 2019, FireEye has conducted multiple incident response cases where enterprise customers were infected with malware through fake browser updates.
Hacked sites would display these "fakeupdates" through JavaScript alerts that state the user is using an old version of a web browser and that they should download an offered "update" to keep the browser running "smoothly and securely".
When the update button is clicked, the site will download either an HTML application (HTA), JavaScript, or Zip archives with JavaScript files.
When the downloaded file is executed, a malicious script would be launched that gathers information about the computer and sends it back to the attacker's command and control server.
The server would then respond with an another script that would be executed on the victim's machine to download and install malware. The researchers at FireEye state that they observed malware such as Dridex, NetSupport Manager, AZORult, or Chthonic being installed on the victim's machines.
"The backdoor and banking-trojan payloads described above have been identified as Dridex, NetSupport Manager RAT, AZOrult, and Chthonic malware. The strategy behind the selective payload delivery is unclear; however, the most prevalent malware delivered during this phase of the infection chain were variants of the Dridex backdoor."
In addition to the information being stolen by banking Trojans, the script would also use the freeware Nircmd.exe tool to generate two screenshots of the current desktop, which are then also uploaded to the C2.
Similar to how Ryuk utilizes Trickbot, FireEye observed that Dridex would be used to install the BitPaymer or DoppelPaymer ransomware on a victim's network.
[...] Both BitPaymer and DoppelPayment are well know for requesting huge ransomware when they are able to compromise many computers on a network. For example, there are known cases where DoppelPaymer has demanded ransom ranging from $80K USD to over $2 million.
This would allow them to potentially generate huge ransoms from a compromised network that has already been squeezed dry of data to harvest.
Read more of this story at SoylentNews.