Beware: Malware Distribution Disguised as Fake Chrome Updates
- Written by Ari Denial Cybersecurity & Tech Writer
A malware distribution campaign was identified by an NTT security analyst. The campaign utilized a deceptive error screen appearing as a Google Chrome update to distribute malware.
Several targets were reported to have confirmed malware downloads as the campaign gained traction. The attack campaign begins by infiltrating websites and inserting malevolent JavaScript code that triggers scripts upon a user’s visit. The scripts initiate the downloading of additional scripts depending on whether the user fits the target criteria.
The delivery of these harmful scripts is facilitated by the Pinata IPFS (InterPlanetary File System) service, which obscures the source server that stores the files. This approach thwarts efforts to blacklist the server and makes it difficult to take down the attack.
When a visitor matching the target criteria accesses the compromised website, the scripts trigger a deceptive error message disguised as a Google Chrome automatic update failure. The fake error screen states that the installation of the required update was unsuccessful, and the visitor is prompted to either install the update package manually or wait for the next automatic update.
The error message reads, “An error occurred in Chrome automatic update. Please install the update package manually later, or wait for the next automatic update.”
The attack involves the automatic download of a ZIP file named ‘release.zip’ that pretends to be a Google Chrome update. This file, however, contains a Monero miner that utilizes the device’s CPU resources to generate cryptocurrency for the attackers.
Once launched, the malware duplicates itself to C:\Program Files\Google\Chrome as “updater.exe” and deploys a genuine executable to run from memory. The malware leverages the “BYOVD” technique to exploit a WinRing0x64.sys vulnerability to obtain SYSTEM privileges on the device.
The miner remains undetected by Windows Defender by adding scheduled tasks and modifying the Registry. After the completion of the process, the Monero miner connects to xmr.2miners[.]com and begins mining the difficult-to-trace cryptocurrency.
As a prevention, avoid installing security updates from third-party sites and always rely on updates from the software developers or automatic updates within the program.
Invisible Calendar Invites Used to Hack iPhones and Install QuaDream Spyware
- Written by Ari Denial Cybersecurity & Tech Writer
The spyware was found to be particularly advanced, using techniques such as sandbox evasion and persistence to remain undetected on the compromised device.
According to the report, QuaDream’s spyware has been linked to a group known as Candiru, which is also based in Israel and has been accused of selling spyware to various governments around the world.
Microsoft has stated that it has taken steps to protect its customers from QuaDream, but warns that these types of attacks will continue to occur as long as spyware companies are allowed to operate without oversight.
Attackers were able to compromise iPhones by using backdated and “invisible” iCloud calendar invitations, according to reports.
The attackers used this technique to exploit the ENDOFDAYS vulnerability, which runs automatically once an iCloud calendar invitation is added to the user’s calendar without notification or prompt. This allowed the attacks to remain undetected by the targets, making it an effective technique for compromising devices.
Citizen Lab researchers have reported that “at least five civil society victims of QuaDream’s spyware and exploits” were found in various regions, including Central Asia, Southeast Asia, Europe, North America and the Middle East. The victims reportedly include journalists, political opposition figures, and an NGO worker, but no names were provided.
The malware used in the campaign, dubbed KingsPawn by Microsoft, was designed to self-delete and clean out any traces from victims’ iPhones to evade detection, according to the report. Additionally, Citizen Lab discovered a process name used by the spyware through their analysis of the self-destruct feature.
The capabilities of QuaDream’s spyware, discovered during analysis, include recording audio from phone calls and the microphone, taking pictures with the device’s camera, exfiltrating items from the device’s keychain, generating iCloud time-based one-time password login codes for future dates, running SQL queries, tracking the device’s location, and performing various filesystem operations. The spyware also has the ability to clean remnants left behind by zero-click exploits.
QuaDream servers were discovered by Citizen Lab in several countries, including Bulgaria, the Hungary, Israel, Mexico, Czech Republic, Romania, Ghana, Uzbekistan, Singapore, the United Arab Emirates (UAE), and Mexico.
