Threat actors have been leveraging phony web browser updates to facilitate the distribution of remote access trojans and information-stealing malware, according to The Hacker News.
Both the BitRAT trojan and Lumma Stealer malware have been deployed through attacks involving a malicious website with JavaScript code redirecting to a fraudulent browser update page, which leads to the download of a ZIP archive file with the payloads, a report from eSentire revealed. Such a ZIP archive file has also been used to enable persistence and final-stage malware delivery.
Meanwhile, a separate study from ReliaQuest revealed an updated ClearFake campaign involving a fake browser update that executes a malicious PowerShell code resulting in the installation of LummaC2 malware. LummaC2 was noted by another ReliaQuest report to be among the leading infostealers last year.
"LummaC2's rising popularity among adversaries is likely due to its high success rate, which refers to its effectiveness in successfully infiltrating systems and exfiltrating sensitive data without detection," said ReliaQuest.
