Watch Out: Attackers Are Hiding Malware in 'Browser Updates'

[silversurfer]

Content source

https://www.darkreading.com/threat-intelligence/watch-out-attackers-hiding-malware-browser-updates

Updating your browser when prompted is a good practice, just make sure the notification comes from the vendor themselves.

Threat actors are using cybersecurity best practices against you, hiding malware inside of fake browser updates. They do so by seeding legitimate but vulnerable websites with malicious JavaScript. Upon loading, the code presents users with convincing browser update notifications, masking dangerous payloads.

According to a Oct. 17 report from Proofpoint, the trend began with one threat actor, TA569, and it has since been adopted by at least four different threat clusters, in what appears to be a growing and intractable new trend.

"TA569 has been very active for quite some time, and I've seen how difficult it has been for customers to understand and remediate the threat on their own," says Daniel Blackford, senior manager of threat research at Proofpoint. Because it's so effective, he adds, "other threat actors have absolutely piggybacked on it."

 

[Dave Russo]

Thanks,I never even considered this

 

[wat0114]

In Linux the browser is updated from the official repositories through the package manager, and never through the browser itself.

 

[silversurfer]

In Linux the browser is updated from the official repositories through the package manager, and never through the browser itself.

Probably same advantage for Windows users when installing browsers only from Microsoft Store, major browsers are available there.

 

[Ink]

The Current Landscape of Fake Browser Updates​

Beware Fake Browser Updates: TA569, Rogueraticate & More | Proofpoint US

Proofpoint is tracking multiple fake browser update threats. Learn more about the various threats to watch out for like TA569, Rogueraticate and more.

www.proofpoint.com

Key Takeaways

• Proofpoint is tracking multiple different threat clusters that use similar themes related to fake browser updates.
• Fake browser updates abuse end user trust with compromised websites and a lure customized to the user's browser to legitimize the update and fool users into clicking.
• Threat actors do not send emails to share the compromised websites. The threat is only in the browser and can be initiated by a click from a legitimate and expected email, social media site, search engine query, or even just navigating to the compromised site.
• The different campaigns use similar lures, but different payloads. It is important to identify which campaign and malware cluster the threat belongs to help guide defender response

The fake browser update lures are effective because threat actors are using an end-user's security training against them. In security awareness training, users are told to only accept updates or click on links from known and trusted sites, or individuals, and to verify sites are legitimate. The fake browser updates abuse this training because they compromise trusted sites and use JavaScript requests to quietly make checks in the background and overwrite the existing, website with a browser update lure. To an end user, it still appears to be the same website they were intending to visit and is now asking them to update their browser.

Remember that all modern browser update silently in the background.