Cybercriminals are increasingly employing counterfeit browser updates that imitate genuine notifications from Google Chrome, Mozilla Firefox, and Microsoft Edge to distribute malware on victims’ computers.
Fake browser updates
A recent report by the cybersecurity firm Proofpoint unveiled that hackers operating under the codename TA569 have employed bogus update notifications to disseminate the SocGholish malware. Astonishingly, this tactic has been consistently utilized for a minimum of five years.
The group is believed to be an initial access broker, facilitating ransomware gangs to initially infiltrate networks and sell illegally obtained data.
Counterfeit browser updates involve compromised websites that present deceptive notifications mimicking official messages from browser developers like Chrome, Firefox, or Edge, indicating that an update is required, as highlighted by Proofpoint. Regrettably, when users click on these notifications, they are not downloading a genuine browser update but rather harmful malware.
Apart from the TA569 group, additional threat actors have recently come to light employing counterfeit browser updates. Each of these malicious groups employs unique techniques to disseminate their decoy and payload, albeit primarily relying on social engineering tactics. These fake updates exploit end-users’ confidence in their web browsers and the reputable websites they frequent.
According to the researchers, they have pinpointed “at least four distinct threat groups” employing this strategy. However, it’s worth noting that these groups don’t uniformly employ the same lure to distribute their malicious payload.
Proofpoint advises fellow cybersecurity experts and stakeholders to stay updated on payload and infrastructure modifications by referring to the @monitorsg account on the Infosec Exchange platform.
Numerous users lack the knowledge and training necessary to discern and evade the deceptive ploys of attackers, making them vulnerable targets for fake browser updates.
- Source Verification: Only download browser updates from the official websites or trusted app stores. Avoid clicking on pop-up notifications or links from unverified sources.
- Keep Software Updated: Regularly update your browser, operating system, and security software to patch vulnerabilities that attackers may exploit.
- Security Software: Install and maintain reputable antivirus and anti-malware programs to detect and prevent malicious downloads.
- Educate and Train: Learn to recognize phishing attempts, suspicious websites, and deceptive update notifications. Educate others, such as family members and colleagues, about these risks.
- Browser Security Settings: Configure your browser’s security settings to block pop-ups and warn against potentially harmful downloads. Be cautious and selective when allowing websites to run scripts or install extensions.
Keitaro TDS Hosted on:
Injects lead to paths:
Chrome lure on:
Emerging Threats Signatures: (All Open Sigs available for free)
“ET MALWARE SocGholish Domain in (DNS Lookup/TLS SNI) (<domain>)”
“ET MALWARE SocGholish CnC Domain in (DNS Lookup/TLS SNI) (<domain>)”
“ET EXPLOIT_KIT RogueRaticate Domain in (DNS Lookup/TLS SNI) (<domain>)”
“ET EXPLOIT_KIT Keitaro Set-Cookie Inbound to RogueRaticate (4cdcb)”
“ET EXPLOIT_KIT Keitaro Set-Cookie Inbound to RogueRaticate (3a7ee)”
“ET EXPLOIT_KIT Keitaro Set-Cookie Inbound to ClearFake (71eb8)”
“ET EXPLOIT_KIT ZPHP Domain in (DNS Lookup/TLS SNI) (<domain>)”