Chrome Update – Malware

Technology
, , ,
Chrome
   Reading time 2

Chrome Update - Malware

I was surfing the web and managed to run across a boating website (URL redacted to protect the innocent as it is likely a compromised website).

Once the website loaded, it displayed a popup telling me that I needed to update my version of Chrome.

chrome update fake

It claimed that I needed to update to 62.0.3202.75 and after a quick check, I see my version is 94.0.4606.61 (Official Build). No shocker as I already know that Chrome would not display such a banner, but I wanted to play with it some. I copied and pasted the URL to my sandbox and it was time to play.

First I wanted to look at the website coding to see what is going on. Added to the header of the HTML code, was:

It is a total of 4,411 lines of minified and obfuscated JavaScript, that display the above banner. I’m not going to show the 4,000-plus lines of code and then the cleaned-up code, as it will kill the memory in your browser. But if you want to see the code (it has been redacted so the URL to download the update is no longer valid),

minified and obfuscated JavaScript

Cleaned up JavaScript

The coding is supposed to detect the browser versions and download the correct malware-embedded browser.

When you click on the “Update” button it will download a copy of Chrome, which contains several Trojans. The domain behind the Update button (which again, I redacted from my post and all associated uploads), is proxied registration, so that isn’t much help. It is registered and hosted with Namecheap. The odd thing is that Windows Defender picked it up. But when I uploaded it to VirusTotal.com, the detection results were rather dismal.

VirusTotal

Defender picked up nothing until I started to install it and then it found Trojan:Win.Raccoon.BM!MTB, upon launch, and then Trojan:Win32/Wacatac.B!ml part way through the installation. By anti-virus picked it up as UDS:Trojan-Spy.Win32.Stealer

Another thing I noticed is that they are screwing with the RSS feed and have added the following to that:

 
Website Builders
porn
porn
trafic analytics
link short
social proof
softwaregeek com
kidstube

Thank you to the two below websites for helping me decode the JavaScript, my Java skills are extremely rusty.
https://beautifier.io/
http://jsfiddle.net/

facebookShare on Facebook
TwitterTweet
FollowFollow us
PinterestSave
Average Jow Weekly Logo
Average Joe

Welcome to the Average Joe Weekly blog. This is basically my place on the web where I can help spread some of the knowledge that I have accumulated over the years. I served 10+ years in the Marine Corps on Active Duty, but that was some 25 years ago.

Related Posts:

Avatar photo

By Average Joe

Welcome to the Average Joe Weekly blog. This is basically my place on the web where I can help spread some of the knowledge that I have accumulated over the years. I served 10+ years in the Marine Corps on Active Duty, but that was some 25 years ago.

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.