LTS Secure Warning: Wide Spread Of Malware via Compromised Sites As Fake Browser Update

Till now we have seen various mediums used by threat actor to spread the malwares developed by them, but now, a new malware impacting Banking as well as other business is been spread via Compromised sites (WordPress & CMS) as fake browser updates.

The User is presented with a POPUP which claims to be from “official update Center” and the following message is show to the user:

a critical error occurred due to the outdated version of the browser, Update your browser as soon as possible.”

The Following errors are also possible on outdated version of browser:

  • Loss of personal and stored data
  • Confidential information leaks
  • Browser errors

Browsers infected by this malware are Mozilla Firefox, Google Chrome, Internet Explorer and Edge browsers.

AT the bottom the POPUP shows a button labeled as “Update”, which once clicked, leads the user to some compromised websites that is loaded with exe and zip which gets downloaded on the victim computer.

 

Technical Details

This malware is programmed to affect both, Windows & Android devices.

Once the “Update” button is clicked, the computer downloads a ZIP archive. This resource harbors a JavaScript file with a name that mentions “browser” and “components,” in an attempt to convince the user that it is legitimate.

Once Executed, it tries to download browser.jpg, which is actually a exe file containing the ransomware. When compared to the Android version, the file dropped on the device is a banking malware.

The external links which helps the malware to spread are

  • hxxps://wibeee.com[.]ua/wp-content/themes/wibeee/assets/css/update.js – 225 infected sites.
  • hxxp://kompleks-ohoroni.kiev[.]ua/wp-admin/css/colors/blue/update.js – 54 for the second.
  • hxxp://quoidevert[.]com/templates/shaper_newsplus/js/update.js – 198 infected sites.

These update.js files include a malicious script that shows the fake browser update window to the victim.

 

Impact

  • It affects your System Performance as well as its functionality.
  • It will steal your credentials/confidential data and sends to the remote attacker.
  • Damage of hostage systems, data, and files.

 

Recommended Actions

  • Make sure that you are using a updated version of the software.
  • Always update your anti-virus software with the latest releases.
  • Try to avoid visiting untrusted websites and clicking on unknown sources links.
  • Run a periodically Full system scan.