According to security researcher Rintaro Koike (opens in new tab), hackers have been overwriting legitimate web pages with fake Chrome update messages designed to install malware that can evade antivirus detection – and worse.
Initially observed from November 2022, Koike explains that the attack campaign became active in February 2023, targeting predominantly Japanese websites as well as some geared towards Korean and Spanish language ones.
Having moved beyond its Japanese locale, researchers suspect it may continue to spread, adapt, and evolve, warning other Internet users of the potential threats.
Fake Google Chrome update malware
Compromised websites have JavaScript code that runs scripts to determine targets. Positive results lead to a page that warns of an “Update Exception.” It reads:
“An error occurred in Chrome automatic update. Please install the update package manually later, or wait for the next automatic update.”
The lack of urgency actually works in the favor of the threat actors, helping the malware scam to stand out less compared to other scams.
A .zip file disguised as the Chrome update is later installed, but instead of a legitimate Chrome update the file contains a Monero miner designed to mine the cryptocurrency at the expense of the victim’s CPU.
According to the research, the miner excludes itself from Windows Defender settings, suspends Windows Update services, and rewrites host files to compromise threat detection tools like antivirus software, helping it to fly under the radar.
Showing no signs of stopping, the code is allegedly compatible with over 100 languages, which presents a potentially significant threat moving forward.
Alongside adequate malware removal, Internet users are advised not to download software from popups; instead they should revisit the page directly from the legitimate company’s website.
It’s also worth noting that Chrome typically handles updates via an in-built updater and there’s no need to download additional packages from a website.
