Chrome Users Beware: Zero Day Exploit Detected, Hackers Distributing Malware via Fake Updates
Google Chrome, the world’s most popular web browser, has been hit by another zero-day exploit. Google has discovered a new type of confusion vulnerability (CVE-2023–2033) in its V8 engine that provides unsecured access to the browser’s memory. The exploit can allow hackers to take over the victim’s device and steal sensitive information.
How to Update Your Browser
To mitigate this threat, Google has released a patch to fix the vulnerability. However, users are strongly advised to update their Chrome browser to the latest version immediately. The process is simple and can be done by clicking on the overflow menu bar and selecting ‘Help’ > ‘About Google Chrome.’ The browser will automatically check for updates and install them if available.
Google’s Bug Bounty Program
This latest zero-day exploit is the first to be discovered in Google Chrome in 2023. Last year, the browser was hit by 15 zero-day exploits; in 2022, there were nine. In March 2022, Google warned its users to expect an increase in zero-day attacks, and the prediction has come true.
However, Google has a robust reporting system and pays high bounties for vulnerabilities. This approach encourages security researchers to sell their discoveries to Google instead of hackers. In 2022, Google paid over $12M in bug bounties, including a single record bounty of $605,000 for one critical exploit.
Malware Distribution Campaign Targeting Chrome Users
Unfortunately, some hackers exploit Chrome users by targeting websites with malicious JavaScript code. The code displays fake Google Chrome automatic update errors and distributes malware to visitors. The campaign has been active since November 2022. It expanded its targeting scope after February 2023 to cover Japanese, Korean, and Spanish speakers.
The malware distribution campaign has compromised various websites, including adult sites, blogs, news sites, and online stores. When a user visits the compromised websites, the malicious JavaScript code executes scripts. It downloads additional scripts based on whether the visitor is the intended target. The Pinata IPFS service delivers the malicious scripts. It also obfuscates the origin server hosting the files, making blocking or taking them down difficult.
If a targeted visitor browses the site, the scripts display a fake Google Chrome error message that prompts the user to install a ZIP file called ‘release.zip.’ However, this ZIP file contains a Monero miner that utilizes the device’s CPU resources to mine cryptocurrency for hackers. The malware copies itself to C:\Program Files\Google\Chrome as “updater.exe” upon launch. It uses the “BYOVD” technique to exploit a vulnerability in the legitimate WinRing0x64.sys to gain SYSTEM privileges on the device.
The miner persists by adding scheduled tasks, performing Registry modifications, and modifying the IP addresses of security product servers in the HOSTS file. After completing these steps, the miner connects to xmr.2miners[.]com to mine Monero (XMR), a hard-to-trace cryptocurrency.
NTT warns that including additional languages may indicate that the hackers plan to expand their targeting scope, increasing the campaign’s impact. In addition, users should never install security updates from third-party sites and only install updates from the software developers or via automatic updates built into the program.
In conclusion, Google Chrome users must update their browsers immediately to avoid falling victim to this latest zero-day exploit. Additionally, users should exercise caution when browsing the internet and be vigilant of fake update notifications. Users can protect their devices and personal information from malicious hackers by taking these steps.
Sources- forbes.com, googleblog.com, nvd.nist.gov, bleepingcomputer.com
