With Windows’s User Account Control (UAC), malware is exceedingly difficult to spread since UAC runs all apps in the non-administrative role unless told otherwise. It also prevents unauthorized programs to be installed on the computer without prior confirmation from the user. However, hackers have found a clever way to bypass this measure by using internet browsers like Google Chrome.
Through Google Chrome, hackers can create phony or use compromised websites to deliver malware to unsuspecting users and steal sensitive information like passwords and cryptocurrency.
How Does This Operation Work?
Andrew Iwamaye, a cybersecurity expert from Rapid7, said that the attacks are carried out once a user visit one of these malicious sites. Then, a browser ad service prompts the user to take an action.
A look into infected users’ Google Chrome history showed several suspicious redirects prior to the initial infection. Before the redirects, Rapid7’s research team found that “the user granted permission to the site hosted at birchlerarroyo[.]com to send notifications to the user.” Then, this site presented a notification to the user, asking for permission to show notifications to them. It is unclear why or how the victims were coaxed into giving permission, but as soon as they did, they received an alert that their browser needed to be updated.
Once they clicked on the alert, they were forwarded to a “convincing Chrome-update-themed webpage” where they could press “install” to update their browser. This link led to an MSIX file installation with the name “oelgfertgokejrgre.msix” hosted at the domain chromeupdate.com.
Once the victims install the software, the machine becomes infected, and the attacks begin.
During the first stage of the attack, a PowerShell command is spawned onto the victim’s computer, whose purpose is to perform a Disk Cleanup Utility UAC bypass. According to Iwamaye, this is possible because of “a vulnerability in some versions of Windows 10 that allows a native scheduled task to execute arbitrary code by modifying the content of an environment variable”.
To be more precise, the PowerShell command deletes the original value set for the %windir% variable in the “SilentCleanup” scheduled task and replaces it with a new one set to %LOCALAPPDATA%\Microsoft\OneDrive\setup\st.exe REM.
Once that is done, whenever Windows attempts to run “SilentCleanup” it instead executes the following command: %LOCALAPPDATA%\Microsoft\OneDrive\setup\st.exe REM\system32\cleanmgr.exe /autoclean /d %systemdrive%.
This allows the hackers to run any executables they want via the “SilentCleanup” scheduled task.
What Is Targeted During These Attacks?
It appears that the main goal of these attacks is to steal sensitive passwords, as well as cryptocurrency from the victims. The credentials are stolen from already installed browsers on the computer, while there are also special functionalities that allow the hackers to steal cryptocurrency and run arbitrary commands on the victim’s computer.