Fake Google Chrome update Bypasses Windows User Account Control
There is no better way to get a payload onto someone's device than through a program that nearly everyone has installed like Google Chrome. Infostealer malware, masquerades as a legitimate update to Google Chrome so that sensitive data or cryptocurrency can be stolen from the victims' machines. The Malware is delivered through a compromised website on Chrome browsers can bypass User Account Controls to infect systems. Hackers behind a newly identified malware campaign are targeting Windows 10 with malware that can infect systems via a technique that bypasses Windows cybersecurity protections called User Account Control (UAC).
Researchers from Rapid7 identified the campaign and warn that the goal of the hackers is to steal sensitive data and steal cryptocurrency from the targeted infected PC. The Rapid7 Managed Detection and Response team detected a malware campaign that installs its payload as a Windows application after delivery via a browser ad service and bypasses User Account Control (UAC). Once installed, this malware, called Infostealer, steals sensitive information such as credentials stored in the browser or cryptocurrency from an infected device. Infostealer also prevents browser updates and allows for command execution on a device which enables persistence if Infostealer is removed. It does this by leveraging a Windows environment variable and a native scheduled task to ensure it persistently executes with elevated privileges.
Infostealer gets onto a machine through a process that starts when a user enables notifications in-browser, which is triggered by a compromised JavaScript file hosted on websites for advertising purposes. This permission change allows the website to push toast notifications to Windows, which spam users or notify people of fake software updates. The fake notification is used to make people believe they had a Chrome update and redirecting them to a fake update site.
The malicious update is linked to a Windows application package called a MSIX type file. The file name of the MSIX is oelgfertgokejrgre.msix and was hosted at a domain chromesupdate.com. Because the malware installed by the MSIX file is not hosted on the Microsoft Store, a prompt is activated to enable installation of sideload applications, to allow applications from unofficial sources.
The malware has several tricks. Its delivery mechanism via an ad service as a Windows application, which doesn't leave web-based download forensic artifacts and UAC bypass technique by manipulation of an environment variable and native scheduled task so it can go undetected by various security solutions. Researchers couldn't get the payload files from the sample they analyzed because they were no longer available during their investigation.
To help protect against this malware, users need to be aware of what links they click and files they download. If a program requests extra permissions than what is default, it is usually a red flag. With precaustions, Infostealer will be less prevalent.