Businesses across the world have been targeted by a new cyber scam that impersonates Google Chrome update download pages.
Researchers at Proofpoint identified the malware campaign targeting organizations in Canada, France, Germany, Spain, Italy, the United Kingdom, and the United States, with thousands of messages sent around the world over the course of just a few weeks.
The messages told the victims they needed to upgrade to the latest version of the Google Chrome or Internet Explorer browser, but actually included links to websites compromised with malware.
Google Chrome malware
Proofpoint identified the campaign as being the work of prolific threat actor TA569, also known as SocGholish, as the compromised messages included links websites compromised with SocGholish HTML injects.
These injects are able to analyse the geolocation, operating system, and browser used by the recipient, and if deemed a suitable victim, look to convince them to click on a link in the email message.
Rather than the promised Google Chrome update however, clicking on this link downloads one of several malicious payload. Proofpoint’s analysis spotted a a banking Trojan (Chthonic) that was a variant of the notorious Zeus banking Trojan, as well as remote-control software (NetSupport) that can give hackers remote access to compromised systems.
The attack targeted a number of major businesses across multiple verticals, including education, state governments, and manufacturing, and numerous others.
“While this technique isn’t new, it’s still effective because it exploits the intended recipient’s desire to practice good security hygiene,” Proofpoint wrote in a blog post outlining the findings.
“Keeping software updated is a common piece of security advice, and this actor uses that to their advantage. These campaigns illustrate that malware and threat actor tactics don’t have to be novel to find success, even in today’s rapidly changing threat landscape.”