Beware of pop-up browser updates
Researchers at FireEye have recently unearthed a particularly nasty new campaign that is both multi-faceted and dangerous. These hacked websites display a seemingly innocuous pop-up message informing the site visitor that they need a browser update. It will provide a one-touch solution to the non-existen21t problem via a button. The button promises to download the latest version of the browser in question.
The server then responds to the findings reported by the initial script by uploading the initial payload. Results vary based on the details gleaned, but generally includes some banking trojan malware and a backdoor such as Dridex, NetSupport Manager RAT, or similar. If the initial scan reveals that the target computer is part of a corporate network, an additional payload injected onto the target machine. Still, we'll get to that in a moment.
The first part of the payload will busily ferret out login credentials and other sensitive information, exfiltrating any files of value back to the command and control server.
When this operation is complete, and the computer is part of a corporate network, the second stage will occur. Typically, using BitPaymer or DoppelPaymer. The ransomware spreads through the network as far as it is able, encrypting files network-wide.
These two ransomware strains are known for their hefty ransom demands; hundreds of thousands or even millions of dollars.
An Effective Multi-Stage Approach
It not only allows the hackers to squeeze a wide range of sensitive data from infected systems but then, locks them down hard and demands a hefty payment. Be sure your staff is aware of the browser update scam. This one's about as dangerous as they come.