Fake Chrome updates spread malware

Compromised websites are causing big headaches for Chrome users. A campaign running since November 2022 is using hacked sites to push fake web browser updates to potential victims.

Researcher Rintaro Koike says this campaign has now expanded to also target those who speak Korean, Spanish, and Japanese. Additionally, Bleeping Computer notes that some of the affected sites include news, stores, and adult portals. The attackers are likely to be primarily targeting sites based on vulnerability rather than content served. As a result, it’s difficult to predict where these bogus updates will appear next.

How the fake update attack works

Once a website is compromised, malicious JavaScript runs a script when an unsuspecting visitor lands on the page. If you’re deemed to be an “acceptable” target for the attack, then more scripts are downloaded and a fake update lies in your immediate future.

Potential victims are shown what appears to be a genuine web browser error of some sort, from inside the browser window. It says:

UPDATE EXCEPTION

An error occurred in Chrome automatic update. Please install the update package manually later, or wait for the next automatic update.

ERR_INSTALL_INTERRUPT

A ZIP file is then automatically downloaded under the guise of a supposed Chrome update. If you’re familiar with how Chrome updates, you’d probably decide to delete the file at this point because this isn’t exactly normal. However, a lot of folks out there will probably panic at the sight of the ZIP, assume something has gone horribly wrong with their browser, and open it up.

Sadly, all you’d be doing when launching the file is executing a Monero miner. Monero miners are trojans which hog your computer’s CPU to mine for cryptocurrency. The scammers try to get rich, at the same time as devoting your system resources to activities other than what they should be doing. In a worst case scenario, your device could overheat, experience slow down, or just crash.

Monero miners can be seen doing the rounds in everything from Linux malware to Windows botnets.

According to the researchers, in this case the malware attack also shuts down Windows Update and adds itself as an exclusion to Windows Defender, as well as “disrupting the communication of security products with their servers”. A desktop PC with a miner hiding under the hood, security tools broken, and updates turned off meaning the device is potentially going to become more insecure as time passes? Someone’s hit the Monero moneymaker on this occasion.

How to update Chrome

Updating your web browser, whether Chrome or something else, is incredibly easy to do. Most of the time it’s completely automatic, and potentially done entirely out of your field of view. You may be asked to configure the process just once, at first install, and then never have to think about it again. At best, you may open up your browser, see a message telling you that you’re now running the latest version, and then go back to not having to think about it.

Maybe the very hands off approach has a small part to play in why people download ZIPs like the above. We’re so used to never seeing updates take place that when we’re randomly told about it out of the blue, we assume it’s the real deal.

Either way, your web browser should never ask you to download random ZIP files and install the contents. All of your browser updating is supposed to happen inside of the web browser.

To update your browser manually, or at least get a feel for how this process takes place:

  • Click the 3 vertical dots on the right hand side of your URL bar.
  • Select Help > About Google Chrome

From here, you can see which version of Chrome that you’re running. If an update is waiting in the wings, it should start downloading automatically. Once the update is complete, you’re usually asked to relaunch the browser and complete the update process. The “What’s New” button option will also inform you about major changes to browser functionality.

Again: you should never have to download a file, ZIP, or anything else from a website in order to supposedly update your browser. Avoid these so-called updates, keep genuine updating restricted to the browser itself, and you should be fine.


Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

https://blog.malwarebytes.com/feed/

Leave a Reply