FakeUpdateRU Malware Tricks Users To Download A Trojan

The fake browser update messages have been in the news for years now. However, researchers have discovered a variant of the older malware dubbed, FakeUpdateRU, which is now being used on bogus websites to trick users.

This fraudulent browser update scam is pertaining to Google Chrome, which shows on certain websites that are also created or infected by scammers.

This FakeUpdate malware installs a remote access trojan on the user’s systems, often paving the path for ransomware attacks.

The variant FakeUpdateRU noted in a Sucuri blog highlighted previously found campaigns involving fake Chrome updates.

FakeUpdateRU Prompting Chrome Update

The newer variant FakeUpdateRU was found on a multitude of infected websites however was addressed by Google.

Fraudulent web page to dupe users (Photo: Sucuri Blog)

Google blocked most of the domains hosting the fake Chrome update malware preventing the further spread of the FakeUpdateRU malware.

These are the findings around the FakeUpdateRU malware –

  1. The malware overwrites the index.php file to display the theme on the website
  2. The fraudulent browser update scam also works on WordPress websites
  3. The malware replaces the content on a webpage with newer content
  4. The scammers have designed the landing pages to resemble genuine Google pages
  5. The cloned pages were designed by copying from the UK English version of Google’s website

The static resource files created by the developers of the fake browser update scam had Russian suffixes.

Adding to the finding, the Sucuri blog read, “Since the bad actor’s browser had Russian localization, this resulted in the static resource files having Russian suffixes.  E.g. /assets/analytics.js.Без названия, where “Без названия” means “No name”.”

This fake browser update scam could work for other browsers including Firefox and Safari.

To trick users, the genuine Google page content was modified with specific keywords. One example was replacing the word Download with Update.

After a user clicks on the Update option, the malware gets downloaded.

These were the genuine-looking domains used by the scammers to look legitimate –

  1. chromiumengine[.]space
  2. chromiumtxt[.]space
  3. basechromium[.]space
  4. placengine[.]site
  5. browserengine[.]online

The domains were recently registered, within the past two weeks.

Circumventing the Google Block to Continue Duping Users

Alert showing on flagged pages by Google (Photo: Sucuri Blog)

Although Google blocked malicious domains, it has been found that the malware has been reworked by developers.

Researchers added that the malware circumvents the actions taken by Google by directly linking to the drive-by download in the other active websites they have access to.

This hides the Google warning however, makes infecting individual websites a requirement for scammers. More recent versions of FakeUpdateRU malware also have most of the Russian language comments removed from the HTML code of the fake update pages.

Background of the SocGhoslish Malware and Fraudulent Browser Update Scams

The fraudulent browser update scam involves users being shown a message that they are using an older version of Chrome. However, the malware may show altered messages for other browsers as well. It has been used since 2017 and is distributed through dubious websites.

Previously observed fake Chrome update page (Photo: Sucuri Blog)

The previously found malware was named FakeUpdates or SocGhoslish, in 2022. Users were redirected to infected websites from one page which would trick them into installing the malware camouflaged as a browser update.

FakeUpdate or SocGhoslish malware was found on over 61,000 web pages in 2021 and over 25,000 the following year until August.

Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button