If you were a threat actor, what better way to get a payload onto someone’s device than through a program that nearly everyone has installed like Google Chrome? Unfortunately, this appears to be what is happening with the Infostealer malware, masquerading as a legitimate update to the popular web browser from Google so that sensitive data or cryptocurrency can be stolen from a target machine.

Recently, the Rapid7 Managed Detection and Response team detected a malware campaign that installs its payload as “a Windows application after delivery via a browser ad service and bypasses User Account Control (UAC).” Once installed, this malware, dubbed Infostealer, works to take sensitive information such as credentials stored in the browser or cryptocurrency from an infected device. Furthermore, Infostealer also prevents browser updates and allows for command execution on a device which enables a multitude of other security concerns, including persistence on a device if Infostealer is eventually removed.

In any event, Infostealer gets onto a machine through a several-step process which starts when a user enables notifications in-browser, which is thought to be triggered by a compromised JavaScript file hosted on websites for advertising purposes. This permission change allows the website to push “toast notifications” to Windows, which can spam users or notify people of malicious fake software updates. The latter of these options was thought to be used by the malware campaign, making people believe they had a Chrome update and sending them to a realistic-looking update website.

Once on this site, all a user needed to do was click the install button, and a Windows application with the malware would download and could be installed. The only thing that may raise some flags in this process is the name of the application file and the requirement to have the “Sideload apps” setting enabled, as this program did not come from the Microsoft Store. Otherwise, this software would be installed and run, allowing the malware to kick off its malicious process.

Thankfully, it appears that the malware is no longer being served at the discovered locations, but that does not mean it is gone necessarily. To help protect against this malware, people need to be keenly aware of what links they click and files they download. Moreover, programs requesting extra permissions than what is default is generally a red flag unless you know precisely what is happening. With these precautions, hopefully, Infostealer will become less effective and less prevalent.

Source: https://hothardware.com/news/infostealer-malware-tricks-people-to-infect-devices