Fake Browser Updates delivering BitRAT and Lumma Stealer
June 3, 2024, 11:48 a.m.
Tags
External References
Description
This report details a malicious campaign where adversaries used fake browser update prompts to lure victims into downloading and executing malware. The infection chain begins with injected malicious JavaScript code on compromised websites that redirect users to pages mimicking legitimate browser update sites. These fake update sites host ZIP archives containing PowerShell scripts responsible for downloading and executing BitRAT and Lumma Stealer malware. The report provides in-depth analysis of the attack flow, payload characteristics, encryption routines, and command-and-control infrastructure leveraged by these malware families.
Date
Published: June 3, 2024, 11:26 a.m.
Created: June 3, 2024, 11:26 a.m.
Modified: June 3, 2024, 11:48 a.m.
Indicators
77.221.151.31
http://chatgpt-app.cloud/q1Vz6N
evolutionautomation.com
chatgpt-app.cloud
accountasifkwosov.shop
tolerateilusidjukl.shop
shatterbreathepsw.shop
shortsvelventysjo.shop
productivelookewr.shop
liabilitynighstjsko.shop
incredibleextedwj.shop
demonstationfukewko.shop
alcojoldwograpciw.shop
Attack Patterns
BitRAT
Lumma Stealer
T1056.004
T1021.004
T1583.001
T1569.002
T1583.003
T1574.002
T1059.005
T1059.001
T1059.007
T1056.001
T1071.001
T1518.001
T1204.002
T1489
T1105
T1219
T1027