Google Chrome is Abused to Deliver Malware as ‘Legit’ Win 10 App

Malware delivered via a compromised website on Chrome browsers can bypass User Account Controls to infect systems and steal sensitive data, such as credentials and cryptocurrency.

Crooks behind a newly identified malware campaign are targeting Windows 10 with malware that can infect systems via a technique that cleverly bypasses Windows cybersecurity protections called User Account Control (UAC).

Researchers from Rapid7 recently identified the campaign and warn the goal of the attackers is to extricate sensitive data and steal cryptocurrency from the targeted infected PC.

Andrew Iwamaye, Rapid7 research analyst, said that the malware maintains persistence on PC “by abusing a Windows environment variable and a native scheduled task to ensure it persistently executes with elevated privileges.”
Infosec Insiders Newsletter

Iwamaye wrote in a blog post published Thursday, the attack chain is initiated when a Chrome browser user visits a malicious website and a “browser ad service” prompts the user to take an action. Inquiries as to what the researcher is identifying as a “browser ad service” have not been returned as of this writing.

Attack Target: Credentials & Cryptocurrency  

The ultimate goal of the attackers is using the info-stealer malware to nab data such as browser credentials and cryptocurrency. Additional malicious behavior includes preventing the browser from updating and creating system conditions ripe for arbitrary command execution, Iwamaye wrote:

Attackers are using a compromised website specially crafted to exploit a version of the Chrome browser (running on Windows 10) to deliver the malicious payload, researchers found. Investigations into infected users’ Chrome browser history file showed redirects to a number of suspicious domains and other unusual redirect chains before initial infection, Iwamaye wrote.

“In the first investigation, the user’s Chrome profile revealed that the site permission settings for a suspicious domain, birchlerarroyo[.]com, were altered just prior to the redirects,” he wrote. “Specifically, the user granted permission to the site hosted at birchlerarroyo[.]com to send notifications to the user.”

Upon further analysis, researchers found that birchlerarroyo[.]com presented a browser notification requesting permission to show notifications to the user. This as well as a reference to a suspicious JavaScript file in its source code led theRapid7 team to suspect that it had been compromised, Iwamaye said.

It’s unclear from the research, why or how a user would be coaxed into permitting the site to send notification requests via the Chrome browser. However, once notifications were permitted the browser user was alerted that their Chrome web browser needed to be updated. They were then forwarded to a “convincing Chrome-update-themed webpage.”

This is image is of the Rapid7 fake and malicious Chrome browser update page.

This is image is of the fake and malicious Chrome browser update page researchers at Rapid7 found.

Malicious Windows App in Sheep’s Clothing

The malicious Chrome browser update linked to a Windows application package called a MSIX type file. The file name of the MSIX is “oelgfertgokejrgre.msix” and was hosted at a domain chromesupdate[.]com. Rapid7 researchers confirmed file was a Windows application package.

The fact the malicious payload was a Windows application file is significant for several reasons.

“The malware we summarized in this blog post has several tricks up its sleeve. Its delivery mechanism via an ad service as a Windows application (which does not leave typical web-based download forensic artifacts behind), Windows application installation path, and UAC bypass technique by manipulation of an environment variable and native scheduled task can go undetected by various security solutions or even by a seasoned SOC analyst,” Iwamaye wrote.

The researcher further explained:

“Since the malicious Windows application package installed by the MSIX file was not hosted on the Microsoft Store, a prompt is presented to enable installation of sideload applications, if not already enabled, to allow for installation of applications from unofficial sources,” the researcher wrote.

Once In, The Exploitation Begins

If the malicious Chrome update is executed the machine is infected and the attack begins.

The first stage of the attack involves a PowerShell command spawned by an executable named HoxLuSfo.exe, which itself was spawned  by sihost.exe, a background process that launches and maintains the Windows action and notification centers.

The command’s purpose was to perform a Disk Cleanup Utility UAC bypass, which is possible because of “a vulnerability in some versions of Windows 10 that allows a native scheduled task to execute arbitrary code by modifying the content of an environment variable,” Iwamaye wrote.

Specifically, the PowerShell command exploited the use of the environment variable %windir% in the path specified in the “SilentCleanup” scheduled task by altering the value set for the variable. The command deleted the existing %windir% environment variable and replaced it with a new one set to: %LOCALAPPDATA%\Microsoft\OneDrive\setup\st.exe REM.

This then configured the scheduled task “SilentCleanup” to execute the following command whenever the task “SilentCleanup” was triggered: %LOCALAPPDATA%\Microsoft\OneDrive\setup\st.exe REM\system32\cleanmgr.exe /autoclean /d %systemdrive%.

This process allows the PowerShell Command to hijack the “SilentCleanup” scheduled task to run desired executables—in this case, HoxLuSfo.exe and st.exe, the latter with elevated privileges, Iwamaye wrote.

Payload Operations

Researchers couldn’t retrieve the payload files from the sample that they analyzed because they were no longer present when they investigated. However, they used samples from VirusTotal to peer under the hood.

What they found was that HoxLuSfo.exe is a 32-bit Microsoft Visual Studio .NET executable containing obfuscated code that can modify the hosts file on the infected asset to prevent correct resolution of common browser update URLs to prevent browser updates, Iwamaye wrote.

The payload also enumerates installed browsers and steals credentials from installed browsers; kills processes named Google, MicrosoftEdge and setu; and includes functionality to steal cryptocurrency as well as to execute arbitrary commands on the infected asset, he wrote.

Researchers provide both a detailed forensic analysis of the campaign as well as a comprehensive list of indicators of compromise in the post to help users prevent and mitigate attacks.

Check out our free upcoming live and on-demand online town halls – unique, dynamic discussions with cybersecurity experts and the Threatpost community.

Suggested articles