Watch Out: Attackers Are Hiding Malware in 'Browser Updates'

Threat actors are using cybersecurity best practices against you, hiding malware inside of fake browser updates.

They do so by seeding legitimate but vulnerable websites with malicious JavaScript. Upon loading, the code presents users with convincing browser update notifications, masking dangerous payloads.

According to a Oct. 17 report from Proofpoint, the trend began with one threat actor, TA569, and it has since been adopted by at least four different threat clusters, in what appears to be a growing and intractable new trend.

"TA569 has been very active for quite some time, and I've seen how difficult it has been for customers to understand and remediate the threat on their own," says Daniel Blackford, senior manager of threat research at Proofpoint. Because it's so effective, he adds, "other threat actors have absolutely piggybacked on it."

Malicious Code, Hidden in Honest Websites

Though they may vary in the particulars, each of the four threat clusters tracked by Proofpoint follow largely the same script.

First, the actors take advantage of a legitimate but vulnerable website, injecting their own malicious JavaScript code.

"It's generally very opportunistic. We have seen it across basically every industry: media, local sports associations — like kids' soccer groups — software companies, in some cases," Blackford says.

It might be an unpatched vulnerability, or a WordPress misconfiguration that provides the opening, "but it doesn't always have to be the website itself. It can be any assets that are imported into the website — any type of styling template, media player, or pretty much any third-party code," he says.

When an end user loads the website, the attackers' script runs alongside the rest of the site's various assets. Its job is to refer traffic to an attacker-controlled domain.

The Fake Browser Update Lure

From here, Blackford explains, "the Web inject is going to take some information about your system — you're coming from this geographic location, you're using this browser version. It can determine whether you're in some type of virtual environment or not. And if you pass all of the criteria, then it's going to reach out to that backend server and pull in the fake Update page."

The update lures are designed to look like they're coming from the browser's developers, with a clean look and relevant iconography. The following screenshots, courtesy of the security researcher Jerome Segura, capture fake updates from TA569 and another cluster, "FakeSG," also known as "RogueRaticate" (see below).

If a user falls for the trap and clicks "Update," they download malware to their computer.

If the attacker is TA569, for example, a user will download its signature "SocGholish" initial access malware. In the past, SocGholish has been used as a primer for ransomware, including WastedLocker, LockBit, Drydex, Hive, and more.

How to Avoid Fake Browser Updates

Employees and otherwise educated civilians are taught to avoid links and attachments in unrecognized emails or text messages. They might know to avoid a seedy-looking link, but what about a notification coming from their browser?

To suss out a real update from a fake one, Blackford urges users to pay attention to how their trusted websites and browsers typically behave, and whether anything happens that doesn't align with the usual pattern.

"Nine times out of 10, I'll go to my kid's soccer league website and see: okay, we've got a match against some other school on Wednesday, and nothing happens. And then one time, all of a sudden, I'm redirected to a page that says I'm using an old version of Chrome, click this button to update. That difference in pattern should be the trigger," he says, while admitting that "it's not easy to spot. But that's also why bad guys continue to make money hand over fist."

In the end, users shouldn't be spooked from maintaining their cybersecurity hygiene. "Updating your browser is a good security practice," Blackford maintains, "and I strongly suggest that people do it."