The Deceptive Chrome Update Functions as a Remote Access Trojan (RAT) Capable of Seizing Control of Your Computer – Here’s What You Should Be Aware Of
In the ever-evolving landscape of cybersecurity, a persistent threat takes the form of a deceptive fake Chrome update. This fraudulent software, disguising itself as a legitimate browser update, continues to be an active and substantial danger to unsuspecting users.
This deceptive Chrome update goes beyond appearances, functioning as a Remote Access Trojan (RAT) capable of taking control of your computer. Often serving as the initial phase in a ransomware attack, this malware can result in significant financial losses and data breaches. Cybersecurity experts have recently uncovered a new variant of this malware, identified as “FakeUpdateRU” by Jerome Segura of MalwareBytes. Notably, this variant is distinct from the earlier SocGholish malware, indicating the involvement of a different hacking group exploiting the rising demand for ransomware attacks.
Multiple such groups have emerged lately, prompting a swift response from Google. The tech giant has taken measures to block most websites distributing this malware and displays warning pages when users attempt to access them. The malware manipulates the main index[.]php file of website themes, closely mimicking the appearance of an authentic Chrome update page.
What sets this fake Chrome update apart is its use of plain HTML code sourced from the UK English version of Google’s website. This suggests that the hackers used a Chrome (Chromium-based) browser to craft the malware, resulting in the presence of Russian language elements in the files, even for non-Chrome users.
The genuine danger of this malware lies in the JavaScript code at the bottom of the counterfeit update page. This code initiates the malware download when users click the “Update” button, employing a Chrome-themed domain to obtain the final download URL, typically on another compromised website. The malware is associated with the Zgrat and Redline Stealer malware families, both recognized for their involvement in ransomware attacks.
Critical to note is that the fake update pages and the malware files are hosted on separate hacked websites. Hackers utilize multiple domains with similar names to redirect users to the malware .ZIP file, constantly changing and registering them to sustain the scale of their malicious campaign.
Users can identify infected websites by searching for a specific Google Tag Manager script, which provides insights into the extent of the threat. In response to Google’s rapid blocking of domains that redirect users, hackers have adapted their tactics by directly linking to downloads on other compromised websites. This necessitates the reinfection of numerous sites, rather than altering a single file on their server.
To safeguard against these Chrome updates that harbor malware threats, experts recommend keeping plugins and themes up to date, fortifying WordPress websites, and maintaining regular data backups.
