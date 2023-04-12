Malicious actors are hijacking websites to inject fake Google Chrome automatic update error scripts to distribute malware to visitors, according to an NTT report.

NTT security analyst Rintaro Koike says the campaign has been operating since November 2022. It kicked up a gear in February 2023 and expanded its scope to target Japanese, Korean, and Spanish-speaking users.

Sites infected with these malicious scripts include adult sites, news sites, online stores, and blogs.

The malicious JavaScript code executes scripts on the site when a user visits it, and they can download more scripts based on whether or not the user is part of the target audience.

Blocklisting is ineffective as the scripts are delivered through the Pinata InterPlanetary File System service, which obscures the server hosting the malicious files.

When a user visits a compromised site, the malicious code displays a fake Google Chrome error screen, claiming that an automatic update required to browse the website failed to install.

“UPDATE EXCEPTION. An error occurred in Chrome automatic update. Please install the update package manually later, or wait for the automatic update,” it reads.

It then automatically downloads a “release.zip” file disguised as a Chrome update.

However, the downloaded file includes a Monero miner that hijacks a device’s CPU resources to mine cryptocurrency for the malicious actors behind the campaign.

When launched, the malicious software copies itself in the C:\Program Files\Google\Chrome file directory as “updater.exe”, after which it launches an executable to complete process injection and run straight from memory.

The malware is quite robust. It disables Windows Update and prevents communication between security products and their servers by adjusting the latter’s IP addresses in the HOSTS file. It may also disable antivirus altogether.

