Google Chrome is Abused to Deliver Malware as ‘Legit’ Win 10 App

Malware delivered via a compromised website on Chrome browsers can bypass User Account Controls to infect systems and steal sensitive data, such as credentials and cryptocurrency.

Crooks behind a newly identified malware campaign are targeting Windows 10 with malware that can infect systems via a technique that cleverly bypasses Windows cybersecurity protections called User Account Control (UAC).

Researchers from Rapid7 recently identified the campaign and warn the goal of the attackers is to extricate sensitive data and steal cryptocurrency from the targeted infected PC.

Andrew Iwamaye, Rapid7 research analyst, said that the malware maintains persistence on PC “by abusing a Windows environment variable and a native scheduled task to ensure it persistently executes with elevated privileges.”
Infosec Insiders Newsletter

Iwamaye wrote in a blog post published Thursday, the attack chain is initiated when a Chrome browser user visits a malicious website and a “browser ad service” prompts the user to take an action. Inquiries as to what the researcher is identifying as a “browser ad service” have not been returned as of this writing.

Attack Target: Credentials & Cryptocurrency  

The ultimate goal of the attackers is using the info-stealer malware to nab data such as browser credentials and cryptocurrency. Additional malicious behavior includes preventing the browser from updating and creating system conditions ripe for arbitrary command execution, Iwamaye wrote:

Attackers are using a compromised website specially crafted to exploit a version of the Chrome browser (running on Windows 10) to deliver the malicious payload, researchers found. Investigations into infected users’ Chrome browser history file showed redirects to a number of suspicious domains and other unusual redirect chains before initial infection, Iwamaye wrote.

“In the first investigation, the user’s Chrome profile revealed that the site permission settings for a suspicious domain, birchlerarroyo[.]com, were altered just prior to the redirects,” he wrote. “Specifically, the user granted permission to the site hosted at birchlerarroyo[.]com to send notifications to the user.”

Upon further analysis, researchers found that birchlerarroyo[.]com presented a browser notification requesting permission to show notifications to the user. This as well as a reference to a suspicious JavaScript file in its source code led theRapid7 team to suspect that it had been compromised, Iwamaye said.

It’s unclear from the research, why or how a user would be coaxed into permitting the site to send notification requests via the Chrome browser. However, once notifications were permitted the browser user was alerted that their Chrome web browser needed to be updated. They were then forwarded to a “convincing Chrome-update-themed webpage.”

This is image is of the Rapid7 fake and malicious Chrome browser update page.

This is image is of the fake and malicious Chrome browser update page researchers at Rapid7 found.

Malicious Windows App in Sheep’s Clothing

The malicious Chrome browser update linked to a Windows application package called a MSIX type file. The file name of the MSIX is “oelgfertgokejrgre.msix” and was hosted at a domain chromesupdate[.]com. Rapid7 researchers confirmed file was a Windows application package.

The fact the malicious payload was a Windows application file is significant for several reasons.

“The malware we summarized in this blog post has several tricks up its sleeve. Its delivery mechanism via an ad service as a Windows application (which does not leave typical web-based download forensic artifacts behind), Windows application installation path, and UAC bypass technique by manipulation of an environment variable and native scheduled task can go undetected by various security solutions or even by a seasoned SOC analyst,” Iwamaye wrote.

The researcher further explained:

“Since the malicious Windows application package installed by the MSIX file was not hosted on the Microsoft Store, a prompt is presented to enable installation of sideload applications, if not already enabled, to allow for installation of applications from unofficial sources,” the researcher wrote.

Once In, The Exploitation Begins

If the malicious Chrome update is executed the machine is infected and the attack begins.

The first stage of the attack involves a PowerShell command spawned by an executable named HoxLuSfo.exe, which itself was spawned  by sihost.exe, a background process that launches and maintains the Windows action and notification centers.

The command’s purpose was to perform a Disk Cleanup Utility UAC bypass, which is possible because of “a vulnerability in some versions of Windows 10 that allows a native scheduled task to execute arbitrary code by modifying the content of an environment variable,” Iwamaye wrote.

Specifically, the PowerShell command exploited the use of the environment variable %windir% in the path specified in the “SilentCleanup” scheduled task by altering the value set for the variable. The command deleted the existing %windir% environment variable and replaced it with a new one set to: %LOCALAPPDATA%\Microsoft\OneDrive\setup\st.exe REM.

This then configured the scheduled task “SilentCleanup” to execute the following command whenever the task “SilentCleanup” was triggered: %LOCALAPPDATA%\Microsoft\OneDrive\setup\st.exe REM\system32\cleanmgr.exe /autoclean /d %systemdrive%.

This process allows the PowerShell Command to hijack the “SilentCleanup” scheduled task to run desired executables—in this case, HoxLuSfo.exe and st.exe, the latter with elevated privileges, Iwamaye wrote.

Payload Operations

Researchers couldn’t retrieve the payload files from the sample that they analyzed because they were no longer present when they investigated. However, they used samples from VirusTotal to peer under the hood.

What they found was that HoxLuSfo.exe is a 32-bit Microsoft Visual Studio .NET executable containing obfuscated code that can modify the hosts file on the infected asset to prevent correct resolution of common browser update URLs to prevent browser updates, Iwamaye wrote.

The payload also enumerates installed browsers and steals credentials from installed browsers; kills processes named Google, MicrosoftEdge and setu; and includes functionality to steal cryptocurrency as well as to execute arbitrary commands on the infected asset, he wrote.

Researchers provide both a detailed forensic analysis of the campaign as well as a comprehensive list of indicators of compromise in the post to help users prevent and mitigate attacks.

Check out our free upcoming live and on-demand online town halls – unique, dynamic discussions with cybersecurity experts and the Threatpost community.

Suggested articles

Discussion

  • Petre on

    Microsoft edge like chrome even it is setted to highest level with edge go inside users malwares and hydra virus,
  • Holly&Snoop on

    Every day in every way we're basically effed.
  • Sheloob Said on

    I can give the researchers more info and its more than tbis. Even google is unable to support or microsoft. But i have sat behind this with all my devices. I phone, note, blackberry and a combination of all and still people are unable to support because no one is underatanding whats going on. Can i speak to one of the researchers and share more info about this please
  • Anonymous on

    good, let user of google know the targeting scam ,stealing actions.
  • Tony on

    If threatpost is going to start showing with these sorts of exploits involving changes to site permissions and downloading browser extensions from unofficial sources, along with several other human mistakes, there is going to be nothing but these stories all year long. Welcome to the Internet.

Leave A Comment

 

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.