Malware Disguised as Browser Update
Recently, AhnLab SEcurity intelligence Center (ASEC) identified the distribution of malware disguised as a browser update targeting a wide range of users. This malware is distributed through infected websites, and when users visit these sites, malicious scripts are loaded. The scripts create fake update windows for browsers like Chrome or Firefox, tricking users into downloading the malicious files.
Figure 1. Overall operation flow
The files being downloaded come in various formats such as EXE, ZIP, APPX, and recently, VHD files. VHD files are disk image files that mount as virtual drives and operate when executed. Inside the VHD, there is a malicious LNK file that performs malicious activities in a fileless manner via PowerShell commands. Ultimately, an executable file created with .NET is loaded into the memory. Upon execution, it communicates with the threat actor’s C&C server.
Figure 2. Files inside the VHD file
The threat actor is using external repositories in the attack process, and there has recently been an increase in cases where legitimate services like external repositories are used for malware distribution.
This report explains the execution process of the malware disguised as a browser update.
| Overview Malware Analysis 1. Operation Process 2. Analysis by File 2.1. VHD 2.2. LNK 2.3. MOC.hta (Fileless) 2.4. Cloud.bat 2.5. EXE (Fileless) 2.6. DLL (Fileless) AhnLab Response Overview Conclusion Indicators of Compromise (IoCs) File Hashes (MD5s) Related Domains, URLs, and IP Addresses |
