If you were a threat actor, what better way to get a payload onto someone’s device than through a program that nearly everyone has installed like Google Chrome? Unfortunately, this appears to be what is happening with the Infostealer malware, masquerading as a legitimate update to the popular web browser from Google so that sensitive data or cryptocurrency can be stolen from a target machine.
Recently, the Rapid7 Managed Detection and Response team detected a malware campaign that installs its payload as “a Windows application after delivery via a browser ad service and bypasses User Account Control (UAC).” Once installed, this malware, dubbed Infostealer, works to take sensitive information such as credentials stored in the browser or cryptocurrency from an infected device. Furthermore, Infostealer also prevents browser updates and allows for command execution on a device which enables a multitude of other security concerns, including persistence on a device if Infostealer is eventually removed.
Once on this site, all a user needed to do was click the install button, and a Windows application with the malware would download and could be installed. The only thing that may raise some flags in this process is the name of the application file and the requirement to have the “Sideload apps” setting enabled, as this program did not come from the Microsoft Store. Otherwise, this software would be installed and run, allowing the malware to kick off its malicious process.
Thankfully, it appears that the malware is no longer being served at the discovered locations, but that does not mean it is…