Proofpoint is currently tracking four distinct threat clusters that use fake browser updates to distribute malware. Fake browser updates refer to compromised websites that display what appears to be a notification from the browser developer such as Chrome, Firefox, or Edge, informing them that their browser software needs to be updated. When a user clicks on the link, they do not download a legitimate browser update but rather harmful malware.
Based on the research, TA569 has used fake browser updates for over five years to deliver SocGholish malware, but recently other threat actors have been copying the lure theme. Each threat actor uses their own methods to deliver the lure and payload, but the theme takes advantage of the same social engineering tactics. The use of fake browser updates is unique because it abuses the trust end users place in both their browser and the known sites that they visit.
Threat actors that control the fake browser updates use JavaScript or HTML injected code that directs traffic to a domain they control, which can potentially overwrite the webpage with a browser update lure specific to the web browser that the potential victim uses. A malicious payload will then automatically download, or the user will receive a prompt to download a “browser update,” which will deliver the payload.
Fake browser update lure and effectiveness
The fake browser update lures are effective because threat actors are using an end-user’s security training against them. In security awareness training, users are told to only accept updates or click on links from known and trusted sites, or individuals, and to verify sites are legitimate. The fake browser updates abuse this training because they compromise trusted sites and use JavaScript requests to quietly make checks in the background and overwrite the existing, website with a browser update lure. To an end user, it still appears to be the same website they were intending to visit and is now asking them to update their browser.
Campaigns
The current landscape includes four different threat clusters using unique campaigns to deliver fake browser update lures. Each campaign consists of three distinct stages.
“Stage 1” is a malicious injection on a legitimate, but compromised, website.
“Stage 2” refers to the traffic to and from the actor-controlled domain that does most of the filtering and hosts the lure and malicious payload.
“Stage 3” is the execution of the payload on a host after download.
SocGholish
SocGholish is the primary threat that people think of when talking about a fake browser update lure and it has been well documented over the years. Proofpoint typically attributes SocGholish campaigns to a threat actor known as TA569. Proofpoint has observed TA569 act as a distributor for other threat actors.
Currently, TA569 is using three different methods to direct traffic from the stage 1 compromised websites to their actor-controlled stage 2 shadowed domains.
The variety of injections make it difficult for defenders to both identify the location of the malicious injection and reproduce the traffic due to the various stages of filtering.
RogueRaticate/FakeSG
The second fake browser update, identified by Proofpoint researchers in May 2023, is RogueRaticate or FakeSG. third-party researchers dubbed it a copy of the existing and high-volume SocGholish campaigns. The activity may have started in the wild as early as November 2022. Proofpoint does not attribute the RogueRaticate activity to a tracked threat actor at this time, and it has consistently been distinctly differentiated from SocGholish campaigns.
ZPHP/SmartApeSG
Proofpoint first identified another new cluster of fake update campaigns leading to NetSupport RAT in June 2023. The activity was first publicly reported by Trellix in August 2023. This activity has been referred to as ZPHP by Proofpoint or SmartApeSG in public documentation.
Proofpoint does not currently attribute the ZPHP activity to an actor with a TA number designation.
ClearFake
In August 2023, third-party researchers published details on a fake browser update threat activity known as ClearFake. Proofpoint subsequently identified consistent campaigns related to this cluster and observed a series of changes in the short amount of time while monitoring it. Proofpoint has observed ClearFake display the fake update lures in certain languages to match the browser’s set language, including French, German, Spanish, and Portuguese. Proofpoint does not attribute the ClearFake activity to an actor with a TA number designation.
Conclusion
Proofpoint has observed an increase in threat activity using fake browser updates to deliver a variety of malware including payloads. SocGholish and TA569 have demonstrated that compromising vulnerable websites to display fake browser updates works as a viable method for malware delivery, and new actors have learned from TA569 and started to adopt the lure in their own ways. These copycats may be using information stealers and RATs currently, but could easily pivot to being an initial access broker for ransomware.