It seems that a sophisticated malware distribution campaign went on for approximately 4 months, and security researchers are now reporting the major features of this evasive plan. Researchers from Malwarebytes and other cyber security companies had analyzed multiple infections and their origin, only to find a much bigger surprise.
“FakeUpdates” campaign compromised WordPress and Joomla websites
It is stated that the campaign began sometime in December of 2017, and lasted for quite some time. The campaign is dubbed “FakeUpdates” as rogue update offers were made to unsuspecting users. If they agreed to download the alleged helpful updates, they actually got malware. Recently, many websites have gotten a taste of being hacked. Magento stores were compromised and unknowingly helped hackers spread malware, steal credit card details and spread crypto-miners. Another blow had been delivered against GitHub website, when a DDoS attack shut down its website for approximately 10 minutes.
The first traces of this “FakeUpdate” campaign were detected at the end of December, 2017, but researchers were not able to put all of the pieces together and figure out that fake updates were a part of a well-organized plan. According to sources, multiple website platforms were compromised during this campaign. Most of the websites were hacked because they had not been updated in quite some time. Therefore, they contained vulnerabilities which cyber criminals exploited.
Multiple WordPress and Joomla websites were unknowingly distributing rogue Chrome, Firefox and other fake updates of popular programs. We have already discussed several incidents that involved WordPress websites: in January, 5 thousand websites were hacked and modified to spread key-loggers.
More details about this malware distribution campaign
FireEye researchers indicated that these rogue notifications were used for the purpose of distributing various malicious programs, but also transmitted NetSupport Manager remote access tool (RAT). Even though this program is commercially available and legitimate, this does not prevent hackers from abusing this application by installing it to the victims’ systems without their knowledge to gain unauthorized access to their machines.
Researchers have stated that FakeUpdates campaign is a well-though-of-scam. The initial JavaScripts contains obfuscation maneuvers that prevent it from being detected by security programs. Also, the malware contains clever factors which make it difficult for researchers to analyze it.
The download update, or in other words, the JavaScript file, collects information about the victims’ machines and transfers it to the server that sends commands for the file. Once the JavaScript is properly executed, the final malware version is downloaded as is named “Update.js”. From the first glance, it does seem like a file for an update, but actually, it is malicious.
In theory, fake updates should no longer be a problem as a multitude of security researchers are constantly reminding users to only install updates from reliable sources. However, fake Google Chrome and Mozilla Firefox updates are still thriving and distributing ransomware, Trojans, key-loggers and other types of malicious content.