Researchers discovered that the malware, disguised as a Chrome update, uses Dropbox’s API to steal credentials and is linked to North Korea’s “Contagious Interview” cyber-espionage campaign.
Fake Chrome Update Installs DriverEasy Malware
DriverEasy, developed in Swift and Objective-C, uses deceptive methods to steal user credentials. Upon execution, it shows a fake error prompt and requests system passwords, mimicking a legitimate Google Chrome alert.
Once the user enters their credentials, the malware captures them and sends them to Dropbox using its API. It communicates with Dropbox through pre-configured OAuth 2.0 credentials, including a refresh token, client ID, and client secret.
The malware uses these parameters to authenticate with Dropbox and upload the stolen password as “password.txt.”
It starts by querying the victim’s public IP address for tracking, then stores the password with other strings in an array.
The password is sent to Dropbox via an HTTP request, where it is uploaded using the Dropbox API. The OAuth token ensures authentication.
After uploading, the malware checks the HTTP status codes to confirm the operation.
DriverEasy shares similarities with other malware like ChromeUpdate and CameraAccess, all using the same Dropbox API credentials for data exfiltration. These apps deceive users into revealing sensitive information by mimicking legitimate software.
Mitigation
To mitigate risks, users should be cautious of unexpected credential requests from apps. Organizations should implement strong endpoint detection and monitor for unauthorized API usage.
This case highlights the growing threat of cybercriminals using trusted platforms for malicious purposes, emphasizing the need for detailed threat analysis to improve defenses.
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment