Ghacks.net website delivering malware via fake browser update messages

[roger_m]

I wasn't sure of the best place to post this.

The website ghacks.net has either been hacked or, what is more likely, is a victim of a malvertising campaign. If you visit any webpage there, a few seconds after the page loads, the content gets replaced with a fake browser update message, to try and trick the site visitor into downloading an updated version which is actually malware. This is shown in the Chromium based browser I use.

When I visit the site in Edge I get the following.

In both cases, when moving the mouse cursor over the download link, it shows a valid URL for download pages for Chrome or Edge. However if you click on the link, it will download a file named ChromeSetup.exe or MlсrоsоftЕdgеSеtup, from Dropbox, which is malicious. There is also a different fake update page for Firefox and maybe some other browsers too.

The malware currently has 35 detections at VirusTotal, with Kaspersky detecting it as Trojan-Downloader.Win64.RustyPita.y.

VirusTotal

VirusTotal

www.virustotal.com

 

[Moonhorse]

Seems it does not support https, cant see any ads or pop-ups on the site due adguard though

 

[harlan4096]

I can confirm, just visited ghacks site with my FF and got an additional open tab with this:

 

[I Walk MY Way]

just got hit with this ,, time to restore backup,,

 

[Moonhorse]

just got hit with this ,, time to restore backup,,

Did you install something? If not youre safe..

 

[roger_m]

Seems it does not support https, cant see any ads or pop-ups on the site due adguard though

It does for me.

 

[Jonny Quest]

In Chrome, Bitdefender stopped the redirect, and did give me a pop-up notification.

 

[Ink]

The site is mostly unresponsive and crashes on Brave.
No affect on Safari (no extensions)

just got hit with this ,, time to restore backup,,

What made you install the rogue update?

As far as I can remember, all (popular) modern browsers update silently in the background, or notify via their in-menu about an update. Never through a domain.

 

[I Walk MY Way]

Yea wife installed it on her pc this morning, Its been restored with hasleo,

 

[Ink]

Yea wife installed it on her pc this morning, Its been restored with hasleo,

What browser security is installed? Would an additional filter or browser extension be used to boost security?

As well as, informing everyone in your household the difference between real and fake updates.

 

[Brahman]

On visiting ghacks a domain gets blocked ( "ioiubby73b1n.**m") in nextdns as newly registered domain.

 

[likeastar20]

MalwareBazaar | Browse Checking your browser

bazaar.abuse.ch

 

[bjm_]

as test:

Website blocked due to suspicious content
Website Blocked: ioiubby73b1n.com
v2.6.10 | Heuristics: suspicious content
Malwarebytes Browser Guard blocked this page because it may contain malicious activity.

-------------------------------

Norton 360
Category: Quarantine
Date & Time,Risk,Activity,Status,Recommended Action,Activity - Details
9/22/2023 8:32:13 AM,High,Unconfirmed 932324.crdownload (Heur.AdvML.B) detected by Download Insight, Quarantined, Resolved - No Action Required,Threat Actions performed: 1
9/22/2023 8:32:13 AM,High,Unconfirmed 932324.crdownload (Trojan.Gen.MBT) detected by Download Insight, Quarantined, Resolved - No Action Required,Threat Actions performed: 1
9/22/2023 8:31:48 AM,High,f_00098c (Heur.AdvML.B) detected by Download Insight, Quarantined, Resolved - No Action Required,Threat Actions performed: 1
9/22/2023 8:31:48 AM,High,f_00098c (Trojan.Gen.MBT) detected by Download Insight, Quarantined, Resolved - No Action Required,Threat Actions performed: 1
--
File Thumbprint - SHA:
37bba90d20e429ce3fd56847e4e7aaf83c62fdd70a7dbdcd35b6f2569d47d533

---------

Norton 360 re-test
Filename: MlсrоsоftЕdgеSеtup.exe
Threat name: Heur.AdvML.B

https://uc0[..]456a.dl.dropboxusercontent.com/cd/0/get/CEP7kqki[..]FTZ-x/file?dl=1#
Downloaded File from dropboxusercontent.com

 

[Ink]

Malwarebytes Browser Guard blocked this page because it may contain malicious activity.

What browser security is installed? Would an additional filter or browser extension be used to boost security?

As well as, informing everyone in your household the difference between real and fake updates.

@I Walk MY Way - Malwarebytes Browser Guard can protect the additional PCs.

 

[likeastar20]

The website has been taken down.

EDIT1: the site is back up, but still redirects

 

[Jack]

Yes, Ghacks.net is hacked and still distributing malware. Most likely a plugin was exploited, hope they fix this soon.

 

[WhiteMouse]

No, it didn't get hacked. Microsoft just sold Edge browser to Mcafee

And no reaction from Windows Defender.

 

[SeriousHoax]

In my case there was no popup/redirect with uBO/Adguard. The culprit redirect website is also blocked by Adguard DNS filter. But without them I was also able to download the malware. This is quite serious indeed since ghacks is a trusted website. Hope they fix it soon.

 

[Freki123]

And then websites (in general) complain about users using adblockers while nobody want's to be responsible for the booked malvertising...

 

[plat]

Must be working on it, first I got the homepage and it "looks" OK:

Spoiler

Then, when going to individual pages, you get this:

Spoiler

Wow. Thanks for the warning, roger_m.