Malware delivered via a compromised website on CPretendhrome browsers can bypass User Account Controls to infect systems & steal sensitive data, such as credentials & cryptocurrency.
Crooks behind a newly identified malware campaign are targeting Windows 10 with malware that can infect systems via a technique that cleverly bypasses Windows cybersecurity protections called User Account Control (UAC).
Researchers from Rapid7 recently identified the campaign & warn the goal of the attackers is to extricate sensitive data & steal cryptocurrency from the targeted infected PC.
Windows Environment Variable
Andrew Iwamaye, Rapid7 Research Analyst, stated that the malware maintains persistence on PC “by abusing a Windows environment variable & a native scheduled task to ensure it persistently executes with elevated privileges.”
Iwamaye wrote in a blog post published Thurs., the attack chain is initiated when a Chrome browser user visits a malicious website & a “browser ad service” prompts the user to take an action. Inquiries as to what the researcher is identifying as a “browser ad service” have not been so far returned.
Target: Credentials & Cryptocurrency
The final aim of the attackers is using the info-stealer malware to grab data such as browser credentials & cryptocurrency. Additional malicious behaviour includes preventing the browser from updating & creating system conditions ripe for arbitrary command execution, Iwamaye wrote:
Attackers are using a compromised website specially crafted to exploit a version of the Chrome browser (running on Windows 10) to deliver the malicious payload, researchers found. Investigations into infected users’ Chrome browser history file showed redirects to a number of suspicious domains & other unusual redirect chains before initial infection, Iwamaye wrote.
Suspicious Domain
“In the 1st investigation, the user’s Chrome profile revealed that the site permission settings for a suspicious domain, birchlerarroyo[.]com, were altered just prior to the redirects,” he wrote. “Specifically, the user granted permission to the site hosted at birchlrarroyo[.]com to send notifications to the user.”
Upon further analysis, researchers found that birchlerarroyo[.]com presented a browser notification requesting permission to show notifications to the user. This as well as a reference to a suspicious JavaScript file in its source code led theRapid7 team to suspect that it had been compromised, Iwamaye explained.
It is unclear from the research, why or how a user would be coaxed into permitting the site to send notification requests via the Chrome browser. However, once notifications were permitted the browser user was alerted that their Chrome web browser needed to be updated. They were then forwarded to a “convincing Chrome-update-themed webpage.”
Malicious Windows App
The malicious Chrome browser update linked to a Windows application package called a MSIX type file. The file name of the MSIX is “oelgfertgokejrgre.msix” & was hosted at a domain chromesupdate[.]com. Rapid7 researchers confirmed file was a Windows application package.
The fact the malicious payload was a Windows application file is significant for several reasons.
Several Tricks
“The malware we summarised in this blog post has several tricks. Its delivery mechanism via an ad service as a Windows application (which does not leave typical web-based download forensic artifacts behind), Windows application installation path, and UAC bypass technique by manipulation of an environment variable and native scheduled task can go undetected by various security solutions or even by a seasoned SOC analyst,” Iwamaye wrote.
The researcher further explained:
“Since the malicious Windows application package installed by the MSIX file was not hosted on the Microsoft Store, a prompt is presented to enable installation of sideload applications, if not already enabled, to allow for installation of applications from unofficial sources,” the researcher wrote.
The Exploitation Begins
If the malicious Chrome update is executed the machine is infected & the attack begins.
The 1st stage of the attack involves a PowerShell command spawned by an executable named HoxLuSfo.exe, which itself was spawned by sihost.exe, a background process that launches & maintains the Windows action & notification centres.
The command’s purpose was to perform a Disk Clean-up Utility UAC bypass, which is possible because of “a vulnerability in some versions of Windows 10 that allows a native scheduled task to execute arbitrary code by modifying the content of an environment variable,” Iwamaye wrote.
Silent Cleanup
Specifically, the PowerShell command exploited the use of the environment variable %windir% in the path specified in the “Silent Cleanup” scheduled task by altering the value set for the variable. The command deleted the existing %windir% environment variable & replaced it with a new one set to: %LOCALAPPDATA%\Microsoft\OneDrive\setup\st.exe REM.
This then configured the scheduled task “Silent Cleanup” to execute the following command whenever the task “Silent Cleanup” was triggered: %LOCALAPPDATA%\Microsoft\OneDrive\setup\st.exe REM\system32\cleanmgr.exe /autoclean /d %systemdrive%.
This process allows the PowerShell Command to hijack the “SilentCleanup” scheduled task to run desired executables—in this case, HoxLuSfo.exe & st.exe, the latter with elevated privileges, Iwamaye wrote.
Payload Operations
Researchers could not retrieve the payload files from the sample that they analysed because they were no longer present when they investigated. However, they used samples from Virus Total to investigate.
What they found was that HoxLuSfo.exe is a 32-bit Microsoft Visual Studio .NET executable containing obfuscated code that can modify the hosts file on the infected asset to prevent correct resolution of common browser update URLs to prevent browser updates, Iwamaye wrote.
Steal Cryptocurrency
The payload also lists installed browsers & steals credentials from installed browsers; kills processes named Google, MicrosoftEdge & setu; & includes functionality to steal cryptocurrency as well as to execute arbitrary commands on the infected asset, he wrote.
Researchers provide both a detailed forensic analysis of the campaign as well as a comprehensive list of indicators of compromise in the post to help users prevent & mitigate attacks.
https://www.cybernewsgroup.co.uk/virtual-conference-november-2021/