More fake Windows updates are spreading malware, so watch what you download

Magnifying glass enlarging the word 'malware' in computer machine code
(Image credit: Shutterstock)

Researchers have warned of a new cyber scam campaign using fake Windows updates to trick victims into downloading and running the Aurora infostelaer on their devices.

Experts at Malwarebytes recently spotted a malicious advertising campaign leveraging pop-under ads to deliver a malware loader.

Pop-under ads are a type of ad that loads under the browser, and is only visible once the user closes, or moves the browser out of sight. These ads, served mostly on adult content websites with high traffic numbers, are displayed in full-screen, and tell the user that they need to update their device. More than a dozen domains were used in this campaign, it was said.

Protecting your business from the biggest threats online

Protecting your business from the biggest threats online
Perimeter 81's Malware Protection intercepts threats at the delivery stage to prevent known malware, polymorphic attacks, zero-day exploits, and more. Let your people use the web freely without risking data and network security.

Preferred partner (What does this mean?) 

Turkish victims

Those that fall for the trick would download a file called ChromeUpdate.exe which, in reality, is a malware loader called “Invalid Printer”. The researchers are saying that Invalid Printer is a so-called “fully undetectable” (FUD) malware loader, used exclusively by this particular, yet unnamed, threat actor. Once Invalid Printer makes it to the target endpoint, it will first check the graphic card to see if it’s installed on a virtual machine, or in a sandbox. If it determines that the device is a legitimate target, it will unpack and launch a copy of the Aurora infostealer. 

Aurora is a piece of malware with “extensive capabilities” and low antivirus detection, its creators claim. In reality, it took antivirus programs a few weeks to start flagging Aurora installs as malicious, Malwarebytes said. Written in Golang, Aurora is on sale on dark web forums for more than a year now. In this particular campaign, some 600 devices were compromised, the researchers believe. 

According to Jérôme Segura, director of threat intelligence at Malwarebytes, most victims are Turkish, as every time a new sample gets submitted to Virus Total, it comes from a Turkish user. 

"In many instances, the file name looked like it had come fresh from the compiler (i.e. build1_enc_s.exe)," the researcher concluded.

Via: BleepingComputer

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.