BitRAT and Lumma Stealer Malware Delivered via Fake Browser Updates

REvil

Fake web browser updates are being used to deliver remote access trojans (RATs) and information stealer malware such as BitRAT and Lumma Stealer (aka LummaC2). 

“Fake browser updates have been responsible for numerous malware infections, including those of the well-known SocGholish malware,” cybersecurity firm eSentire said in a new report. “In April 2024, we observed FakeBat being distributed via similar fake update mechanisms.” 

The attack chain commences when prospective targets visit a booby-trapped website that contains JavaScript code designed to redirect users to a bogus browser update page (“chatgpt-app[.]cloud”). 

The redirected web page comes embedded with a download link to a ZIP archive file (“Update.zip”) that’s hosted on Discord and downloaded automatically to the victim’s device. 

It’s worth pointing out that threat actors often use Discord as an attack vector, with a recent analysis from Bitdefender uncovering more than 50,000 dangerous links distributing malware, phishing campaigns, and spam over the past six months. 

Present within the ZIP archive file is another JavaScript file (“Update.js”), which triggers the execution of PowerShell scripts responsible for retrieving additional payloads, including BitRAT and Lumma Stealer, from a remote server in the form of PNG image files. 

Also retrieved in this manner are PowerShell scripts to establish persistence and a .NET-based loader that’s primarily used for launching the final-stage malware. eSentire postulated that the loader is likely advertised as a “malware delivery service” since the same loader is used to deploy both BitRAT and Lumma Stealer. 

BitRAT is a feature-rich RAT that allows attackers to harvest data, mine cryptocurrency, download more binaries, and remotely commandeer the infected hosts. Lumma Stealer, a commodity stealer malware available for $250 to $1,000 per month since August 2022, offers the ability to capture information from web browsers, crypto wallets, and other sensitive details. 

“The fake browser update lure has become common amongst attackers as a means of entry to a device or network,” the company said, adding it “displays the operator’s ability to leverage trusted names to maximize reach and impact.” 

While such attacks typically leverage drive-by downloads and malvertising techniques, ReliaQuest, in a report published last week, said it discovered a new variant of the ClearFake campaign that tricks users into copying, pasting, and manually executing malicious PowerShell code under the pretext of a browser update. 

Specifically, the malicious website claims that “something went wrong while displaying this webpage” and instructs the site visitor to install a root certificate to address the issue by following a series of steps, which involves copying obfuscated PowerShell code and running it in a PowerShell terminal. 

“Upon execution, the PowerShell code performs multiple functions, including clearing the DNS cache, displaying a message box, downloading further PowerShell code, and installing ‘LummaC2’ malware,” the company said. 

According to information shared by the cybersecurity firm, Lumma Stealer emerged as one of the most prevalent information stealers in 2023, alongside RedLine and Raccoon. 

“The number of LummaC2-obtained logs listed for sale increased by 110% from Q3 to Q4 2023,” it noted. “LummaC2’s rising popularity among adversaries is likely due to its high success rate, which refers to its effectiveness in successfully infiltrating systems and exfiltrating sensitive data without detection.” 

The development comes as the AhnLab Security Intelligence Center (ASEC) disclosed details of a new campaign that employs webhards (short for web hard drive) as a conduit to distribute malicious installers for adult games and cracked versions of Microsoft Office and ultimately deploy a variety of malware such as Orcus RAT, XMRig miner, 3proxy, and XWorm. 

Similar attack chains involving websites offering pirated software have led to the deployment of malware loaders like PrivateLoader and TaskLoader, which are both offered as a pay-per-install (PPI) service for other cybercriminals to deliver their own payloads. 

It also follows new findings from Silent Push about CryptoChameleon‘s “almost exclusive use” of DNSPod[.]com nameservers to support its phishing kit architecture. DNSPod, part of the Chinese company Tencent, has a history of providing services for malicious bulletproof hosting operators. 

“CryptoChameleon uses DNSPod nameservers to engage in fast flux evasion techniques that allow threat actors to quickly cycle through large amounts of IPs linked to a single domain name,” the company said. 

“Fast flux allows CryptoChameleon infrastructure to evade traditional countermeasures, and significantly reduces the operational value of legacy point-in-time IOCs.” using at least seven primary social media accounts and a CIB network of more than 250 accounts. 

Found this article interesting? Follow us on LinkedIn to read more blogs!