Hackers place fake Chrome update messages on top of legitimate web pages, designed to install malware that can evade antivirus detection, security researcher Rintaro Koike said.
The attack campaign, first observed in November 2022, became active in February 2023, targeting predominantly Japanese websites as well as some Korean and Spanish-language websites, Koike explains. Researchers fear that these attacks may continue to spread, adapt and evolve beyond the Japan region and warn other internet users of potential threats.
Compromised websites contain JavaScript code that runs scripts to identify targets. Positive targets are redirected to a page with an “Update Exception” warning. “An error occurred with the Chrome auto-update. Please manually install the update package later or wait for the next automatic update”. The absence of any urgency warning in the language used in this alert also works in favor of threat actors and looks more realistic, helping this malware scam to attract less attention compared to other scams.
A .zip file disguised as a Chrome update is then installed, but instead of a legitimate Chrome update, it contains a Monero miner designed to mine cryptocurrencies using the victim’s CPU.
According to the research, the miner can circumvent threat detection tools such as antivirus software by removing itself from Windows Defender settings, suspending Windows Update services, and rewriting host files. The code, which shows no signs of stopping, is claimed to be compatible with more than 100 languages, posing a potentially significant threat to the future.
The thing to keep in mind is that Chrome usually installs updates via a built-in updater. So no need to download additional packages from a website.