According to security researcher Rintaro Koike (opens in a new tab), hackers have blocked legitimate web pages with fake Chrome update messages designed to install malware that can evade antivirus detection, and worse.
Koike, who was initially observed from November 2022, explains that the attack campaign was activated in February 2023 and mainly targeted Japanese websites, as well as some targeting Korean and Spanish language sites.
After getting past its Japanese localization, researchers suspect that it may continue to spread, adapt, and evolve, warning other Internet users of potential threats.
Fake Google Chrome update malware
Compromised websites have JavaScript code that runs scripts to determine targets. Successful results lead to a page warning about an "update exception". It reads:
"Chrome auto update failed. Please install the update package manually later or wait for the next auto update.
The lack of urgency actually works in favor of threat actors, helping the malware scam stand out less than other scams.
A .zip file disguised as a Chrome update is then installed, but instead of a legitimate Chrome update, the file contains a Monero miner designed to mine cryptocurrency at the expense of the victim's CPU.
According to research, the miner excludes itself from Windows Defender settings, suspends Windows Update services, and rewrites host files to compromise threat detection tools such as antivirus software, helping it remain unnoticed. .
Showing no signs of stopping, the code is said to support more than 100 languages, posing a potentially significant threat for the future.
Along with proper malware removal, Internet users are advised not to download software from pop-ups; rather, they should revisit the page directly from the legitimate business website.
It's also worth noting that Chrome usually handles updates via a built-in updater and you don't need to download additional packages from a website.