Ghacks.net website delivering malware via fake browser update messages

roger_m

Level 42
Thread author
Verified
Top Poster
Content Creator
Dec 4, 2014
3,163
I wasn't sure of the best place to post this.

The website ghacks.net has either been hacked or, what is more likely, is a victim of a malvertising campaign. If you visit any webpage there, a few seconds after the page loads, the content gets replaced with a fake browser update message, to try and trick the site visitor into downloading an updated version which is actually malware. This is shown in the Chromium based browser I use.

Fake Chrome Update 1.png


When I visit the site in Edge I get the following.

Fake Chrome Update 2.png


In both cases, when moving the mouse cursor over the download link, it shows a valid URL for download pages for Chrome or Edge. However if you click on the link, it will download a file named ChromeSetup.exe or MlсrоsоftЕdgеSеtup, from Dropbox, which is malicious. There is also a different fake update page for Firefox and maybe some other browsers too.

The malware currently has 35 detections at VirusTotal, with Kaspersky detecting it as Trojan-Downloader.Win64.RustyPita.y.
 

Ink

Administrator
Verified
Jan 8, 2011
22,490
The site is mostly unresponsive and crashes on Brave.
No affect on Safari (no extensions)

just got hit with this ,, time to restore backup,, :(
What made you install the rogue update?

As far as I can remember, all (popular) modern browsers update silently in the background, or notify via their in-menu about an update. Never through a domain.
 

bjm_

Level 15
Verified
Top Poster
Well-known
May 17, 2015
709
as test:
Website blocked due to suspicious content
Website Blocked: ioiubby73b1n.com
v2.6.10 | Heuristics: suspicious content
Malwarebytes Browser Guard blocked this page because it may contain malicious activity.
-------------------------------
Norton 360
Category: Quarantine
Date & Time,Risk,Activity,Status,Recommended Action,Activity - Details
9/22/2023 8:32:13 AM,High,Unconfirmed 932324.crdownload (Heur.AdvML.B) detected by Download Insight, Quarantined, Resolved - No Action Required,Threat Actions performed: 1
9/22/2023 8:32:13 AM,High,Unconfirmed 932324.crdownload (Trojan.Gen.MBT) detected by Download Insight, Quarantined, Resolved - No Action Required,Threat Actions performed: 1
9/22/2023 8:31:48 AM,High,f_00098c (Heur.AdvML.B) detected by Download Insight, Quarantined, Resolved - No Action Required,Threat Actions performed: 1
9/22/2023 8:31:48 AM,High,f_00098c (Trojan.Gen.MBT) detected by Download Insight, Quarantined, Resolved - No Action Required,Threat Actions performed: 1
--
File Thumbprint - SHA:
37bba90d20e429ce3fd56847e4e7aaf83c62fdd70a7dbdcd35b6f2569d47d533
---------
Norton 360 re-test
Filename: MlсrоsоftЕdgеSеtup.exe
Threat name: Heur.AdvML.B

https://uc0[..]456a.dl.dropboxusercontent.com/cd/0/get/CEP7kqki[..]FTZ-x/file?dl=1#
Downloaded File from dropboxusercontent.com
 
Last edited:

Ink

Administrator
Verified
Jan 8, 2011
22,490
Malwarebytes Browser Guard blocked this page because it may contain malicious activity.
What browser security is installed? Would an additional filter or browser extension be used to boost security?

As well as, informing everyone in your household the difference between real and fake updates.
@I Walk MY Way - Malwarebytes Browser Guard can protect the additional PCs.
 

SeriousHoax

Level 49
Verified
Top Poster
Well-known
Mar 16, 2019
3,863
In my case there was no popup/redirect with uBO/Adguard. The culprit redirect website is also blocked by Adguard DNS filter. But without them I was also able to download the malware. This is quite serious indeed since ghacks is a trusted website. Hope they fix it soon.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top