Businesses around the world have been the target of a new cyber scam posing as Google Chrome update download pages.
Proofpoint researchers identified the malware campaign targeting organizations in Canada, France, Germany, Spain, Italy, the United Kingdom, and the United States, with thousands of messages sent worldwide over the course of a few weeks.
The messages told victims that they needed to update to the latest version of the Google Chrome or Internet Explorer browser, but actually included links to websites compromised with malware.
Google Chrome malware
Proofpoint identified the campaign as the work of prolific threat actor TA569, also known as SocGholish, as the compromised messages included links to websites compromised with HTML injections of SocGholish.
These injections can analyze the geolocation, the operating system and the browser used by the recipient, and if you consider yourself a suitable victim, seek to convince them to click on a link in the email message.
However, instead of the promised Google Chrome update, clicking on this link downloads one of several malicious uploads. Proofpoint’s analysis detected a banking Trojan (Chthonic) that was a variant of the famous Zeus banking Trojan, as well as remote control software (NetSupport) that can provide hackers with remote access to compromised systems.
The attack targeted a number of major companies across multiple verticals, including education, state government, and manufacturing, and many others.
“While this technique is not new, it remains effective because it exploits the recipient’s desire to practice good safety hygiene,” Proofpoint wrote in a blog post describing the findings.
“Keeping software up-to-date is common security advice, and this actor uses it to their advantage. These campaigns illustrate that malware tactics and threat actors do not have to be novel to find success, even in the threat landscape that it changes quickly. “
