A new malicious campaign has been detected recently by Rapid7’s Managed Detection and Response (MDR) team and Threat Intelligence and Detection Engineering (TIDE) team in which the hackers are targeting Windows using infostealer malware and delivering fake legitimate-looking Win 10 app.
In this malicious campaign, the threat actors infect the users’ systems by using a sophisticated technique that bypasses Windows cybersecurity protections called User Account Control (UAC) by exploiting a Windows environment variable and a native scheduled task.
A “browser ad service” prompts the user to take an action when the user visits a malicious website through the Chrome browser, and like this, the whole attack chain is initiated.
Sensitive data theft
In this campaign, the malware allows the hackers to perform the following actions on the infected PC:-
- Extract sensitive data
- Steal the cryptocurrency
- Prevent browser updates
- Allow for arbitrary command execution
Exploit
In this attack chain to exploit a version of the Chrome browser that is running on Windows 10, the hackers use a specially crafted malicious website, and through this chain, they deliver the payload.
To show notifications to the user, a domain, birchlerarroyo[.]com presented the notification requesting permission, and this is one of the key JavaScript files that include suspicious source code.
The user was forwarded to the specially crafted malicious webpage, that mimics the Chrome-update page, and all this happens when a user allows the notifications, once done, it starts alerting the user by showing notification of “Chrome need to be updated.”
Here, a suspicious executable named HoxLuSfo.exe makes spawn of a PowerShell command, and the suspicious executable, HoxLuSfo.exe is here spawned by sihost.exe.
The sihost.exe is a process that runs in the background to launch and maintain the Windows action and notification centers. Apart from this, the threat actors trick the users by linking fake Chrome browser update to a Windows application package that is an MSIX type file.
And the malicious package is named “oelgfertgokejrgre.msix” which was hosted on chromesupdate[.]com, and this malicious package mimics itself as a Windows application package.
The cybersecurity analyst, Andrew Iwamaye stated:-
“Since the malicious Windows application package installed by the MSIX file was not hosted on the Microsoft Store, a prompt is presented to enable installation of sideload applications, if not already enabled, to allow for the installation of applications from unofficial sources.”
Characteristics & behaviors of HoxLuSfo.exe
Here are the Characteristics and behaviors of HoxLuSfo.exe:-
- It’s a 32-bit Microsoft Visual Studio .NET executable containing obfuscated code.
- It is originally named TorE.exe.
- During its revelation, only 10 antivirus solutions detected it as malicious.
- It fingerprints the infected asset.
- It drops and leverages a 32-bit Microsoft Visual Studio .NET DLL.
- To prevent browser updates it modifies the host files on the infected asset.
- It enumerates installed web browsers and then steals credentials from them.
- It kills the processes like Google*, MicrosoftEdge*, setu*
- To steal cryptocurrency it contains specific functionality.
- On the infected asset for the execution of arbitrary commands, it contains specific functionality.
- It communicates with s1.cleancrack[.]tech and s4.cleancrack[.]tech through AES-encrypted messages with a key of e84ad660c4721ae0e84ad660c4721ae0.
- It has a PDB path of E:\msix\ChromeRceADMIN4CB\TorE\obj\Release\TorE.pdb.
This malware is sophisticated in nature, as it has multiple tricks and techniques up its sleeve. So, to stay safe users should always use a robust AV solution with the latest AV engine.
Moreover, the cybersecurity researchers of Rapid7has also provided a comprehensive list of indicators of compromise, and this list will definitely help the users prevent and mitigate such attacks.
You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity updates
.webp "DDoS Attack Lasted for 6 Days, Record created for the duration of the Cyberattack")
