Tuesday, November 12, 2024
Homecyber securityBeware of Fake Browser Updates That Deliver Bitrat & Lumma Stealer

Beware of Fake Browser Updates That Deliver Bitrat & Lumma Stealer

Published on

Malware protection

eSentire’s Threat Response Unit (TRU) uncovered a sophisticated malware campaign involving fake browser updates.

This campaign has been responsible for delivering two dangerous malware variants:BitRAT and Lumma Stealer.

The attackers use fake update mechanisms to trick users into downloading malicious files, leading to severe security breaches.

- Advertisement - SIEM as a Service

eSentire’s TRU detected an instance of fake updates delivering BitRAT and Lumma Stealer. This method of attack has been increasingly common, with fake browser updates being a popular lure among cybercriminals.

Infection Chain

The infection chain begins when a user visits an infected webpage containing injected malicious JavaScript code.

This code redirects the user to a phony update page.

Injected malicious JavaScript code

Injected malicious JavaScript code

All-in-One Cybersecurity Platform for MSPs to provide full breach protection with a single tool, Watch a Full Demo

The malicious JavaScript code is hidden within the webpage and only activates if the HTTP referrer matches the original malicious web page.

Redirect the site hidden within the JavaScript
Redirect the site hidden within the JavaScript

The fake update page, hosted on the chatgpt-app[.]cloud site, contains a download link to a ZIP archive called ‘Update.zip’.

This archive is automatically downloaded onto the victim’s device and is hosted on Discord’s Content Distribution Network (CDN).

Download of Update.zip from Discord’s CDN
Download of Update.zip from Discord’s CDN

The Payload Delivery

The ZIP archive contains a JavaScript file (Update.js) that acts as an initial downloader to retrieve the payloads once executed by the victim.

Several PowerShell scripts within the archive are responsible for downloading and executing the next stage loader and payloads from a known BitRAT Command-and-Control (C2) address.

PowerShell script retrieving payload file
PowerShell script retrieving payload file

The attack involves multiple files, each serving different purposes:

  • s.png â€“ Loader + Lumma Stealer payload
  • z.png â€“ PowerShell script that creates runkey for persistence + downloads Loader + BitRAT payload
  • a.png â€“ Loader + BitRAT payload
  • 0x.png â€“ BitRAT persistence file that redownloads a.png and executes it

The PowerShell script bypasses AMSI, renames the payload 0x.png to 0x.log, hides it in the C:\Users\Public directory, and sets it to run at startup by modifying the Registry Run Key.

z.png retrieving 0x.png and a.png
z.png retrieving 0x.png and a.png

The 0x.log (0x.png) payload contains an additional PowerShell script which acts as a persistence mechanism for the BitRAT payload file, a.png.

The 0x.log file downloads a.png and executes it.

The Loader

The loader mechanism in the payload files a.png and s.png is almost identical, with the only difference being the hash itself.

The loader is a .NET portable executable (PE) file, obfuscated using Crypto Obfuscator (5.x).

It loads the decrypted payload binary from the files PowerShell script and injects it into RegSvcs.exe.

Simplified version of a.png showing the AMSI bypass and loading
A simplified version of a.png showing the AMSI bypass and loading

BitRAT Capabilities

BitRAT is a feature-rich remote access tool with capabilities such as:

  • Two modes of connections (direct reverse connection and Tor connection)
  • UAC exploit for elevated privileges
  • Process protection
  • Ability to manage over 10,000 clients efficiently
  • Remote browser feature supporting Chrome
  • Password recovery for various applications
  • XMR miner for cryptocurrency mining
  • Reverse proxy using SOCKS4 mode
  • Remote desktop access
  • Webcam live feed
  • File manager with zip compression
  • Keylogger functions
  • Audio live feed
  • SOCKS5 proxy support

The BitRAT sample analyzed was UPX-packed and contained an encrypted configuration.

The decryption routine involves several steps, ultimately using the first 16 characters from an MD5 hash as the key for the Camellia decryption routine.

Lumma Stealer

Lumma Stealer, also known as LummaC2 Stealer, is an information-stealing malware developed in C language.

It targets cryptocurrency wallets, 2FA browser extensions, and other sensitive data on victims’ machines.

The stolen data is sent to a C2 server via HTTP POST requests with the user agent beginning with “Mozilla/5.0”.

 Notable strings in Lumma Stealer Payload
 Notable strings in Lumma Stealer Payload

The use of fake updates to deliver a variety of malware displays the operator’s ability to leverage trusted names to maximize reach and impact.

The .NET loader being the same in both payload files shows the likelihood of the fake update loader being a malware delivery service.

The malware payload is likely interchangeable, and various types will be loaded in similar incidents in the future.

Get special offers from ANY.RUN Sandbox. Until May 31, get 6 months of free service or extra licenses. Sign up for free.

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

10 Best DNS Management Tools – 2025

Best DNS Management Tools play a crucial role in efficiently managing domain names and...

Sweet Security Announces Availability of its Cloud Native Detection & Response Platform on the AWS Marketplace

Customers can now easily integrate Sweet’s runtime detection and response platform into their AWS...

Researchers Detailed Credential Abuse Cycle

Cybercriminals exploit leaked credentials, obtained through various means, to compromise systems and data, enabling...

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Researchers Detailed Credential Abuse Cycle

Cybercriminals exploit leaked credentials, obtained through various means, to compromise systems and data, enabling...

New Android Malware SpyAgent Taking Screenshots Of User’s Devices

SpyAgent, a newly discovered Android malware, leverages OCR technology to extract cryptocurrency recovery phrases...

Tor Network Suffers IP Spoofing Attack Via Non-Exit Relays

In late October 2024, a coordinated IP spoofing attack targeted the Tor network, prompting...