Attackers abuse Chrome to deliver malware as “legit” app

Attackers abuse Chrome with a very dangerous malicious software. It can access sensitive information and bypass Windows security features, such as User Account Controls (UAC). The new campaign targets Windows 10 PCs with malware that can infect systems without notifying the user.

How do they abuse Chrome?

Andrew Iwamaye, Rapid7 research analyst warns that a new, insidious malware campaign is seeking to extricate sensitive data and steal cryptocurrency from the target PC. The malware achieves this by abusing a Windows environment variable and a native scheduled task to maintain persistence on the system.
Iwamaye wrote in a blog post that the attack chain starts when a Chrome browser user visits a malicious website and a prompt for action arises. According to Iwamaye, the prompt is from a “browser ad service” and has not yet responded to requests for clarification.

Attackers target credentials and cryptos

Attackers are using malware to steal data, including browser credentials and cryptocurrency. They’re also interfering with browser updates and system conditions for arbitrary command execution, Iwamaye wrote.

Hackers prepeared a special website, in order to infect users who are running Chrome on Windows 10. The infection begins with a redirect to a suspicious domain. Then, it follows an unusual chain of redirects before finally leading to malware installation.

The first thing he noticed was the suspicious domain, birchlerarroyo.com. Attackers tricked users into giving permission to notifications from birchlerarroyo.com. Then, malware redirected them.

Upon further analysis, researchers found that birchlerarroyo[.]com was asking for permission to show notifications to the user. First, they noticed a suspicious JavaScript file referenced in the source code.

Still, it is not clear why or how the website asked Chrome browser users to allow notifications. Once granted, however, they saw a notification to update their browser . Then, users landed on a convincing Chrome-update-themed webpage.

A malicious update

One of the more malicious Chrome browser updates has to do with a Windows application package – a MSIX type file. It was hosted on chromesupdate[.]com and named “oelgfertgokejrgre.msix.” It was also confirmed that it was a malicious Windows application package.

The malware uses several tricks. Thus, its delivery is via an ad service as a Windows application, Windows application installation path, and UAC bypass technique. This happens by manipulating an environment variable and native scheduled task. It can go undetected by security solutions or even by a seasoned SOC analyst.

Then, a prompt appears to enable installation of such apps. Iwamaye explained that this happens because the application package is not on Microsoft Store.

It gets in and starts exploitation

Once they execute the malicious Chrome update, the malware infects the machine. The first stage of the attack involves a PowerShell command spawned by an executable called HoxLuSfo.exe that spawns sihost.exe.

Attackers use the command to bypass the Disk Cleanup Utility on some versions of Windows 10. So, this is because a vulnerability allows the execution of arbitrary code by modifying the content of an environment variable.

Also, the process allows the PowerShell Command to hijack the “SilentCleanup” scheduled task to run the “HoxLuSfo”and “st” executables..

How the Chrome abuse was discovered

Researchers couldn’t find the payload files in the sample they analyzed. Fortunately, they used VirusTotal to look inside the process.

Thus, they found that HoxLuSfo.exe is a 32-bit Microsoft Visual Studio .NET executable containing obfuscated code. This code prevents the browser from recognizing updates by updating the hosts file on the infected asset.

The payload can enumerate installed browsers, steal credentials from installed browsers, kill processes, and execute arbitrary commands.

Researchers detail both the campaign and indicators of compromise in this post to help everyone prevent and fight off cyber attacks.