This Malware Mimics Your Browser to Steal Information

This post is also available in: עברית (Hebrew)

Criminals are increasingly using fake browser updates that mimic notifications from Google Chrome, Mozilla Firefox, and Microsoft Edge in order to install malware on target computers.

According to cybersecurity firm Proofpoint, the threat group codenamed TA569 had been using this type of lure to deploy its SocGholish malware for five years.

It is believed that the group is an initial access broker, which means a facilitator for ransomware gangs that sell sensitive data illegally obtained for the purposes of breaking past a target organization’s cyber defenses.

Proofpoint explains: “Fake browser updates refer to compromised websites that display what appears to be a notification from the browser developer such as Chrome, Firefox, or Edge, informing them that their browser software needs to be updated. When a user clicks on the link, they do not download a legitimate browser update but rather harmful malware.”

The cybersecurity analysts add that they are currently monitoring “at least four distinct threat clusters” that use this tactic, but not all groups on their radar are using the same lure to deliver the same payload.

Proofpoint further states that in order to help guide defender response, it is important to identify to which campaign and malware cluster the threat belongs, adding “Specific indicators of compromise associated with the identified activities change regularly, as the threat actors are routinely moving their infrastructure and changing details in their payloads.”

According to Cybernews, Proofpoint recommends other cybersecurity professionals or amateurs consult a useful public resource for following along with recent details on payloads and infrastructure changes, which can be found on the “@monitorsg” account on the Infosec Exchange platform.