Threatpost reports that threat actors have been targeting users of devices running on Windows 10 with a new malware campaign that delivers malware through a compromised website on Google Chrome in an effort to exfiltrate sensitive data and cryptocurrency.
The malware evades User Account Control to facilitate successful infections and achieves persistence through the exploitation of "a Windows environment variable and a native scheduled task to ensure it persistently executes with elevated privilege," said Rapid7 Research Analyst Andrew Iwamaye.
Rapid7 researchers also found that the malware has also averted browser updates and established conditions to enable the execution of arbitrary commands.
"The malware we summarized in this blog post has several tricks up its sleeve. Its delivery mechanism via an ad service as a Windows application (which does not leave typical web-based download forensic artifacts behind), Windows application installation path, and UAC bypass technique by manipulation of an environment variable and native scheduled task can go undetected by various security solutions or even by a seasoned SOC analyst," Iwamaye wrote.
Windows 10 targeted by Chrome-exploiting malware campaign
Threat actors have been targeting users of devices running on Windows 10 with a new malware campaign that delivers malware through a compromised website on Google Chrome in an effort to exfiltrate sensitive data and cryptocurrency.
Fraudulent crypto token trades have allegedly been conducted by the indicted firms and individuals to lure more investors, according to the Justice Department, which noted the sequestration of over $25 million worth of cryptocurrency and several wash trading bots as part of the operation.
After injecting PowerShell commands in a vulnerable web server, OilRig proceeds to leverage CVE-2024-30088 to facilitate password filter DLL registration for plaintext credential capturing, 'ngrok' utility installation for covert communications, and the targeting of Microsoft Exchange servers with the novel 'StealHook' backdoor.
Organizations have been warned by the Cybersecurity and Infrastructure Security Agency about ongoing attacks exploiting unencrypted F5 BIG-IP Local Traffic Manager module-managed persistence cookies to discover other devices within the targeted network.