Hackers are exploiting various websites to conduct phishing attacks. These websites redirect users to fake sites prompting a malicious Chrome update.
Fake Chrome Update Distributing Backdoor
Analysts from Dr.Web have found hackers actively targeting users with a malicious Chrome update. This update runs a backdoor on the target device which then facilitates subsequent malware attacks.
According to their report, this phishing campaign is in the wild where the hackers are distributing malware after hacking different websites. They managed to gain admin access to the target websites and embed malicious JavaScript code on the compromised pages.
When a visitor reaches the infected pages, it redirects the user to the phishing website. This site tempts the visitor to download a fake Chrome browser update.
Since the phishing page looks legit, users may click on the download button and unknowingly welcome the backdoor.
Regarding the infection mechanism, briefly, executing the installer creates a folder in the %userappdata% directory containing files for the TeamViewer app. It then extracts two password-protected SFX archives, one of which is a malicious msi.dll library which facilitates in establishing the unauthorized connection to the target device. The second archive includes a script to bypass Microsoft AV detection.
Once the presence is established, hackers may then use the backdoor to deliver payloads such as keyloggers, infostealers, or trojans for remote connection.
Presently, these attacks seem targeted to location and browser. They are specifically targeting users of the Chrome browser in the USA, UK, Canada, Australia, Israel, and Turkey.
Exploitation Of WordPress Sites Continues
As revealed through their study, the hackers have compromised different WordPress CMS-based websites to spread the malware. Though, it is not yet known the method the attackers managed to compromise the different sites.
This study once again sheds light on the vulnerability of WordPress sites to cyber attacks, especially through the exploitation of vulnerable WordPress plugins.
Let us know your thoughts in the comments.