The current landscape of fake browser updates
Proofpoint is currently tracking four different threat clusters that use fake browser updates to spread malware. The fake updates link to compromised browser websites such as Google Chrome, Firefox or Edge that announce a browser update. When a user clicks on the link, he does not download the legitimate browser update, but malicious malware.
According to the study, TA569 has been using fake browser updates to deliver SocGolish malware for more than five years. And in recent years, other cybercriminals are also copying this pattern. Each cybercriminal uses social engineering in combination with their own methods to deliver a lure and payload. The use of fake browser updates is unique because it exploits the trust users have in their browsers and in websites they frequent.
The distraction and efficiency of fake browser updates
The current landscape includes four different threat clusters that use unique campaigns for fake browser updates. Each campaign proceeds in three distinct phases:
- Phase 1: refers to the malicious movement on a legitimate but compromised website
- Phase 2: refers to the traffic leaving from and moving to the cybercriminals' domain. This is where cybercriminals perform much of the filtering work, distributing the lure and malicious payload.
- Phase 3: refers to the realization of the malicious payload at the user.
SocGholish is the main threat people think of when talking about baiting with fake browser updates. This threat has been well documented over the years. Proofpoint attributes SocGholish campaigns to threat actor TA569, observing that TA569 acts as a disseminator for other threat actors. Currently, SocGholish uses three different methods to direct traffic from sites compromised in phase one to shadowed domains - under the control of cybercriminals - to phase two.
The different infiltration points makes it difficult for defenders to pinpoint the location and reproduce the traffic through the different stages of filtering
Figure 1. SocGholish fake update mimicking a Chrome update.
The second fake browser update identified by Proofpoint in May 2023 is RogueRaticate or FakeSG. External researchers consider it a copy of the existing and extensive SocGholish campaigns. The activity was first observed in November 2022. Proofpoint does not attribute RogueRaticate activity to a threat actor and clearly distinguishes it from SocGholish campaigns.
Figure 2. Example of a RogueRaticate fake update spoofing a Chrome update.
Proofpoint identified a new cluster of fake -browser update campaigns in June 2023, namely NetSupport RAT. In August 2023, Trellix first reported activity and was named ZPHP or SmartApeSG in Proofpoint's documentation. Proofpoint does not currently assign ZPHP activity to a threat actor with a TA number reference.
Figure 3. Example of ZPHP spoofing that mimics a Chrome update.
In August 2023, outside researchers published details about the fake browser update ClearFake. Subsequently, Proofpoint identified consistent campaigns from this cluster and observed a series of changes over the time the cluster was monitored. Proofpoint observed that ClearFake displays fake browser updates in the languages corresponding to the browser's set language, including French, German, Portuguese and Spanish. Proofpoint did not assign ClearFake's activities to any threat actor with a TA reference.
Figure 4. Example of ClearFake spoofing that mimics a Chrome update.
Proofpoint observed an increase in threat activity from fake browser updates for the purpose of spreading malicious malware such as payloads. SocGholish and TA569 showed that compromising vulnerable websites to display fake browser updates is an efficient method to spread malware. Other cybercriminals have learned from TA569 and are using this lure in their own way. These copycats currently use information thieves and RATs, but can also easily switch to an intermediary that provides initial access to ransomware.