Cybersecurity researchers at eSentire’s Threat Response Unit (TRU) have detected instances of fake browser updates delivering several malware infections, including remote access trojans (RATs) and information-stealing malware, BitRAT and Lumma Stealer (also known as LummaC2).
According to a recent report from cybersecurity company eSentire, these fake browser updates are also responsible for the well-known SocGholish malware, which has been identified in new attacks.
In 2024, it was observed that FakeBat was distributed using similar fake update mechanisms.
The attack begins when a potential victim visits a compromised website containing injected malicious JavaScript code that directs the user to the fake browser update page, such as “chatgpt-app[.]cloud”.
Further, the chatgpt-app[.]cloud site contains a link to download a ZIP archive (“Update.zip”), which is hosted on Discord’s Content Distribution Network (CDN) and downloaded automatically to the victim’s device.
“The JavaScript file (Update.js) contained within the ZIP archive acts as an initial downloader to retrieve the payloads once executed by the victim. The archive contains several PowerShell scripts responsible for downloading and executing the next stage loader and payloads from http://77[.]221[.]151[.]31,” the report said.
“The IP address identified in the PowerShell script is a known BitRAT Command-and-Control (C2) address, which hosts both the BitRAT and Lumma Stealer payloads. The files have the extension .png, but contain the loader, persistence mechanisms, and the payloads.”
The report further added, “The two files containing the malicious payloads a.png and s.png include an AMSI bypass, the code that leverages reflection in .NET to dynamically load and execute the payload within RegSvcs.exe process.”
eSentire notes that the downloader is likely advertised as a “malware delivery service” because it is used to deploy both BitRAT and Lumma Stealer.
BitRAT is a versatile remote access tool that allows attackers widespread control over infected systems. It enables them to harvest data, steal sensitive data, monitor user activity, download additional binaries, and even deploy additional malware.
On the other hand, Lumma Stealer is a commodity information stealer capable of harvesting valuable information, such as cryptocurrency wallets, 2FA browser extensions, and other sensitive data, from victims’ machines.
“The fake browser update lure has become common amongst attackers as a means of entry to a device or network,” the company said, adding it “displays the operator’s ability to leverage trusted names to maximize reach and impact.”
Hackers often use Discord as an attack vector for malware. A recent analysis by Bitdefender revealed that more than 50,000 dangerous links were circulated in the last six months to distribute malware, phishing campaigns and spam.
Meanwhile, a separate study from ReliaQuest revealed that a new variant of the ClearFake campaign tricks users into copying, pasting, and manually executing malicious PowerShell code under the guise of a fake browser update.
This resulted in the installation of LummaC2 malware, which was one of the leading infostealers in 2023, as noted by another ReliaQuest report.
“The number of LummaC2-obtained logs listed for sale increased by 110% from Q3 to Q4 2023. LummaC2’s rising popularity among adversaries is likely due to its high success rate, which refers to its effectiveness in successfully infiltrating systems and exfiltrating sensitive data without detection,” ReliaQuest noted.
