Security News > 2023 > October > Researchers warn of increased malware delivery via fake browser updates

ClearFake, a recently documented threat leveraging compromised WordPress sites to push malicious fake browser updates, is likely operated by the threat group behind the SocGholish "Malware delivery via fake browser updates" campaigns, Sekoia researchers have concluded.

Subsequently downloaded payloads create an iframe element to host the fake update interface, download that interface, and the fake update content and HTML page.

The visitor to the compromised site is ultimately shown a fake update page for Chrome, Edge and Firefox, claiming they must update their browser to view the content of the page.

According to Proofpoint researchers, the fake update pages are served in different languages, depending on the users' browser's set language.

"While Proofpoint does not attribute the ClearFake activity to a known actor, Sekoia researchers believe it might be the same one that's behind SocGholish:"The tactics, techniques and procedures leveraged by the ClearFake operators overlap with those of SocGholish ones, in particular the use of watering holes, 'fake updates' lures, Keitaro traffic distribution system, Dropbox file hosting service and the masquerading of filename with cyrillic characters.

"SocGholish and TA569 have demonstrated that compromising vulnerable websites to display fake browser updates works as a viable method for malware delivery, and new actors have learned from TA569 and started to adopt the lure in their own ways. These copycats may be using information stealers and RATs currently, but could easily pivot to being an initial access broker for ransomware," they say.

News URL

https://www.helpnetsecurity.com/2023/10/17/clearfake-malware-fake-browser-updates/