Nov 2, 2021
0 0

New malware lures fake Chrome update to attack Windows PCs

Written by

Tags, , , , ,
Super secure VPN
Minimal data logging
Favorable privacy policy

Rapid7 Managed Detection and Response team has shared details of their newly identified malware campaign, urging unsuspecting Windows users to remain cautious. This campaign is designed to steal sensitive data and cryptocurrency from infected PCs.
In the latest campaign, the attackers install the payload as a Windows application after it is delivered to the device through a compromised website on Google Chrome ad service and bypasses the UAC (User Account Control), the exclusive cybersecurity protection in Windows OS.
It is worth noting that Windows 10 is the primary target of malware operators.
SEE: Fake Chrome & Firefox browser update lead users to malware infection
“Attackers are using a compromised website specially crafted to exploit a version of the Chrome browser (running on Windows 10) to deliver the malicious payload, researchers found. Investigations into infected users’ Chrome browser history file showed redirects to several suspicious domains and other unusual redirect chains before initial infection,” Rapid7 blog post read.
The first domain studied for this investigation was birchlerarroyo[.]com.
The attack chain is initiated when a user of the Chrome browser visits an infected website. The Chrome browser ad service immediately asks them to take action and update the browser. This is a malicious Chrome update linked to a Windows app package with an MSIX type file (oelgfertgokejrgre.msix).

This file is hosted on the chromesupdate[.]com domain. Researchers confirmed that this file was a Windows application package.
Compromised site pushing fake and malicious Google Chrome update (left) – Windows App Installer window showing a fake Google Chrome update installation prompt (Right) – Image credit: Rapid7
“Its delivery mechanism via an ad service as a Windows application (which does not leave typical web-based download forensic artifacts behind), Windows application installation path, and UAC bypass technique by manipulation of an environment variable and native scheduled task can go undetected by various security solutions or even by a seasoned SOC analyst,” Rapid7 research analyst Andrew Iwamaye wrote.
The malicious app package installed by the MSIX file isn’t hosted on the official Microsoft Store. A prompt is available to allow the installation of sideloading apps from third-party stores.
Once the malware is installed on a targeted device, it starts extracting sensitive user data, including credentials stored in browser or cryptocurrency, preventing browser updates and enabling command execution on the affected machine. It can also stay persistent on the device even if the malware is removed.

Iwamaye explained that to maintain persistence on the device, Infostealer abuses a “Windows environment variable and a native scheduled task to ensure it persistently executes with elevated privileges.”
Further investigation revealed that the malware gets downloaded on the PC because of a flaw in Chrome, which allowed the malware to bypass UAC.
Did you enjoy reading this article? Like our page on Facebook and follow us on Twitter.

Get the best stories straight into your inbox!

Don’t worry, we don’t spam
 App Store Google News
HACKREAD is a News Platform that centers on InfoSec, Cyber Crime, Privacy, Surveillance and Hacking News with full-scale reviews on Social Media Platforms & Technology trends. Founded in 2011, HackRead is based in the United Kingdom. is among the registered trademarks of Gray Dot Media Group Ltd. Company registration number 12903776 in regulation with the United Kingdom Companies House. The registered address is 85 Great Portland Street, London, England, W1W 7LT
The display of third-party trademarks and trade names on the site do not necessarily indicate any affiliation or endorsement of If you click an affiliate link and buy a product or service, we may be paid a fee by that merchant.


Article Categories:

Comments are closed.