Researchers warn of increased malware delivery via fake browser updates

ClearFake, a recently documented threat leveraging compromised WordPress sites to push malicious fake browser updates, is likely operated by the threat group behind the SocGholish “malware delivery via fake browser updates” campaigns, Sekoia researchers have concluded.

About ClearFake

ClearFake is the name given by researcher Randy McEoin to a malware delivery campaign he outlined in August 2023. “The name is a reference to the majority of the Javascript being used without obfuscation,” he explained.

The threat actor behind ClearFake compromises WordPress sites and injects JavaScript into them that downloads another JavaScript payload from an attacker-owned domain or, since September 28, from the result value of a requested smart contract from the Binance Smart Chain.

Subsequently downloaded payloads create an iframe element to host the fake update interface (which hides the underlying page), download that interface, and the fake update content and HTML page.

The visitor to the compromised site is ultimately shown a fake update page for Chrome, Edge and Firefox, claiming they must update their browser to view the content of the page.

ClearFake fake update page for Chrome (Source: Sekoia)

According to Proofpoint researchers, the fake update pages are served in different languages (English, French, German, Spanish, and Portuguese), depending on the users’ browser’s set language.

Users who fall for the trick and initiate the download (from Dropbox), will get a legitimate browser installer but also malware such as the modular HijackLoader or the similar IDAT loader.

Other players pushing fake updates

“[HijackLoader] implements several evasion techniques, including code injection, use of syscalls, Windows API hashing and Heaven’s gate. In recent months, HijackLoader delivered numerous commodity malware, including Danabot, Lumma, Raccoon, Redline, Remcos, SystemBC and Vidar,” Sekoia researchers shared.

“By linking the ‘fake updates’ lure to the watering hole technique, ClearFake operators target a wide range of users and conduct effective, scalable malware distribution campaigns.”

While Proofpoint does not attribute the ClearFake activity to a known actor, Sekoia researchers believe it might be the same one that’s behind SocGholish: “The tactics, techniques and procedures leveraged by the ClearFake operators overlap with those of SocGholish ones (tracked as TA569), in particular the use of watering holes, ‘fake updates’ lures, Keitaro traffic distribution system, Dropbox file hosting service and the masquerading of filename with cyrillic characters.

Whether or not that’s true, there are other potential players running the same “fake updates” angle. Proofpoint has also summarized the activities related to RogueRaticate/FakeSG and ZPHP/SmartApeSG campaigns.

“SocGholish and TA569 have demonstrated that compromising vulnerable websites to display fake browser updates works as a viable method for malware delivery, and new actors have learned from TA569 and started to adopt the lure in their own ways. These copycats may be using information stealers and RATs currently, but could easily pivot to being an initial access broker for ransomware,” they say.

To protect their organization, security teams must rely on user education, edpoint protection, and network detections.

“The infosec.exchange account @monitorsg is a useful public resource for following along with recent details on payloads and infrastructure changes. The Emerging Threats Ruleset has domain rules available for most of the current threats and is regularly updating and publishing new rules to block all fake browser update campaigns,” they shared.