Bogus browser updates that mimic notifications from Google Chrome, Mozilla Firefox, and Microsoft Edge are being increasingly used by criminals to install malware on target computers.
Cybersecurity firm Proofpoint issued its latest bulletin on October 17th, where it revealed that the threat group codenamed TA569 had been using such lures to deploy its SocGholish malware for five years.
The group is believed to be an initial access broker – a facilitator for ransomware gangs that sells sensitive data illegally obtained for the purposes of breaking past a target organization’s cyber defenses.
“Fake browser updates refer to compromised websites that display what appears to be a notification from the browser developer such as Chrome, Firefox, or Edge, informing them that their browser software needs to be updated,” said Proofpoint. “When a user clicks on the link, they do not download a legitimate browser update but rather harmful malware.”
The cybersecurity analyst adds that it is currently monitoring “at least four distinct threat clusters” that use this tactic. However, it adds that not all groups on its radar are using the same lure to deliver the same payload.
“It is important to identify to which campaign and malware cluster the threat belongs, to help guide defender response,” said Proofpoint. “Specific indicators of compromise associated with the identified activities change regularly, as the threat actors are routinely moving their infrastructure and changing details in their payloads.”
Proofpoint recommends other cybersecurity professionals, or concerned amateurs, consult the @monitorsg account on the Infosec Exchange platform, describing it as “a useful public resource for following along with recent details on payloads and infrastructure changes.”