Researchers spotted a new malware campaign conducted on a compromised website on Google Chrome browsers. The scheme can circumvent User Account Controls to infect systems and steal sensitive data, such as credentials and cryptocurrency.
Malware Sneaking Through Google Chrome Browsers
Cybersecurity firm Rapid7 recently spotted a malware operation targeting Windows 10 with malicious software that can bypass Windows security defenses, intending to steal sensitive information and cryptocurrency.
Rapid7 researcher Andrew Iwamaye said that the malware maintains persistence on PC “by abusing a Windows environment variable and a native scheduled task to ensure it persistently executes with elevated privileges.”
In a recent blog post, Iwamaye explained how the attack chain is set in motion when a Chrome browser user visits a malicious website and a “browser ad service” asks them to take an action.
The Ultimate Goal: Credentials and Cryptocurrency
The attack’s target is to use the info-stealing malware to collect data such as login credentials and cryptocurrency and prevent the browser from updating and creating system conditions favorable for arbitrary command execution.
Researchers found that the threat actors are using a spoofed website specially created to exploit a version of the Google Chrome browser running on Windows 10 to deliver the poisoned payload. They also looked into victims’ browser history files and discovered redirects to several suspicious domains and other unusual redirect patterns before the actual infection.
“In the first investigation, the user’s Chrome profile revealed that the site permission settings for a suspicious domain, birchlerarroyo[.]com, were altered just prior to the redirects,” he wrote. “Specifically, the user granted permission to the site hosted at birchlerarroyo[.]com to send notifications to the user.”
Once the user allowed the site to send notifications, they were alerted that their web browser needed to install an update. Then, they were redirected to a “convincing Chrome-update-themed webpage.”
Masquerading as a Windows App
The bogus update is linked to a Windows app package called “oelgfertgokejrgre.msix” hosted at the chromesupdate[.]com domain. Malware disguised as a Windows application is a serious issue for many reasons.
“The malware we summarized in this blog post has several tricks up its sleeve. Its delivery mechanism via an ad service as a Windows application (which does not leave typical web-based download forensic artifacts behind), Windows application installation path, and UAC bypass technique by manipulation of an environment variable and native scheduled task can go undetected by various security solutions or even by a seasoned SOC analyst,” Iwamaye explained.
“Since the malicious Windows application package installed by the MSIX file was not hosted on the Microsoft Store, a prompt is presented to enable installation of sideload applications, if not already enabled, to allow for installation of applications from unofficial sources,” the researcher further explained.
Once In, Chaos Unleashes
If the user executes the fake Chrome update, their device gets infected, and the attack begins.
In the first stage, an executable called HoxLuSfo.exe creates a PowerShell command that performs a Disk Cleanup Utility UAC bypass, which is the probable cause of “a vulnerability in some versions of Windows 10 that allows a native scheduled task to execute arbitrary code by modifying the content of an environment variable,” Iwamaye wrote. The command exploits the use of the environment variable %windir% in the path specified in the “SilentCleanup” scheduled task by altering the value set for the variable. The command deleted the existing %windir% environment variable and replaced it with a new one set to %LOCALAPPDATA%\Microsoft\OneDrive\setup\st.exe REM.
This configures “Silent Cleanup” to execute a command that hijacks the “Silent Cleanup” scheduled task to run the desired executable files.
When investigating, researchers couldn’t retrieve the payload files from the sample examined because they weren’t present anymore. However, Rapid7 used samples from VirusTotal to investigate further.
They discovered that HoxLuSfo.exe is a 32-bit Microsoft Visual Studio .NET executable containing obfuscated code that can modify the host file on the infected asset to prevent browser updates, Iwamaye added.
Researchers found that the malicious payload steals credentials from the browser, kills processes named Google, Microsoft Edge, and also has the ability to steal cryptocurrency and execute arbitrary commands on the infected machine.