Hackers behind a newly discovered malware campaign are targeting Windows 10 with malware that can bypass Windows cybersecurity protections called User Account Control (UAC).
Cybersecurity researchers from Rapid7 identified the malware campaign, and warned that its goal is to extricate sensitive data and steal cryptocurrency from the targeted infected PC.
Andrew Iwamaye, Rapid7 research analyst, said that the malware maintains persistence on PC “by abusing a Windows environment variable and a native scheduled task to ensure it persistently executes with elevated privileges.”
Iwamaye wrote in a blog post published Thursday, the attack chain is initiated when a Chrome browser user visits a malicious website and a “browser ad service” prompts the user to take an action. Inquiries as to what the researcher is identifying as a “browser ad service” have not been returned as of this writing.
The ultimate goal of the hackers is using the malware to steal data such as browser credentials and cryptocurrency. Additional malicious behavior includes preventing the browser from updating and creating system conditions ripe for arbitrary command execution, Iwamaye wrote.
Attackers are using a compromised website specially crafted to exploit a version of the Chrome browser (running on Windows 10) to deliver the malicious payload, researchers found. Investigations into infected users’ Chrome browser history file showed redirects to a number of suspicious domains and other unusual redirect chains before initial infection, Iwamaye wrote.
“In the first investigation, the user’s Chrome profile revealed that the site permission settings for a suspicious domain, birchlerarroyo[.]com, were altered just prior to the redirects,” he wrote. “Specifically, the user granted permission to the site hosted at birchlerarroyo[.]com to send notifications to the user.”
“The malware we summarized in this blog post has several tricks up its sleeve. Its delivery mechanism via an ad service as a Windows application (which does not leave typical web-based download forensic artifacts behind), Windows application installation path, and UAC bypass technique by manipulation of an environment variable and native scheduled task can go undetected by various security solutions or even by a seasoned SOC analyst,” Iwamaye wrote.
The researcher further explained:
“Since the malicious Windows application package installed by the MSIX file was not hosted on the Microsoft Store, a prompt is presented to enable installation of sideload applications, if not already enabled, to allow for installation of applications from unofficial sources,” the researcher wrote.
Researchers couldn’t retrieve the payload files from the sample that they analyzed because they were no longer present when they investigated. However, they used samples from VirusTotal to peer under the hood.
What they found was that HoxLuSfo.exe is a 32-bit Microsoft Visual Studio .NET executable containing obfuscated code that can modify the hosts file on the infected asset to prevent correct resolution of common browser update URLs to prevent browser updates, Iwamaye wrote.
The payload also enumerates installed browsers and steals credentials from installed browsers; kills processes named Google, MicrosoftEdge and setu; and includes functionality to steal cryptocurrency as well as to execute arbitrary commands on the infected asset, he wrote.
Researchers provide both a detailed forensic analysis of the campaign as well as a comprehensive list of indicators of compromise in the post to help users prevent and mitigate attacks.
Protection Against Malware
SaferNet is the perfect solution to the cybersecurity issues that individuals, families, and businesses face today. It not only connects every device using a secure, 24/7 always on, military grade VPN, but it also stops outside cyberthreats, malware and viruses as well. On SaferNet, all users are protected anywhere in the world, all the time, on any cellular or Wi-Fi network. In addition to SaferNet’s VPN and cyber protection, it also offers a range of employee or parental/family internet controls including internet filtering, monitoring, scheduling, and blocking access to websites or even entire website categories
Typically, a business or family would need 3 separate services for a VPN, Malware Protection, and Internet Controls; SaferNet offers all 3 features in one service. SaferNet truly is an endpoint security presence that can be implemented in minutes around the world, on phones, laptops, tablets, and computers at an economical price point that caters to all sizes of businesses and families. SaferNet guarantees a smooth setup and installation process that takes only minutes, and an easily accessible control hub for you to monitor all your employee’s or family members devices; including activity, time spent online, and threats blocked.