Cybercriminals were found to be hacking into legitimate websites to add scripts to their backend. These additional scripts are designed to display a fake Google Chrome update error page stating an automatic update, which failed to install, is required to continue browsing the site. Users are then asked to download a file that has a malicious ZIP file to continue browsing, NTT Security Holdings, a Japanese cybersecurity company said in a blog post.
Numerous sites including blogs, news sites, online stores, and adult sites were found to have been used to have been compromised to spread the campaign, a report from Bleeping Computer said.
When downloaded, the updated malicious ZIP files called ‘release.zip’ disguised as a Chrome update are installed onto the systems. These ZIP files contain a Monero miner, a tool that uses the victim’s CPU resources to mine cryptocurrency for the threat actors.
The malicious files are able to avoid detection by Windows by adding scheduled tasks and performing registry modifications in Windows Defender.
(For top technology news of the day, subscribe to our tech newsletter Today’s Cache)
Additionally, these files can interfere when downloading genuine Windows Update released by Microsoft, and disrupt the communication of security products with their server by modifying the IP addresses of the HOSTS file (contains mapping of the IP addresses). This in turn becomes a problem for threat detection and may even disable an antivirus altogether.
While the campaign has been underway since November 2022 it was found to have gained momentum after February 2023. And though most of the compromised websites include ones in Japanese, Spanish, and Korean, NTT warns that the recent inclusion of additional languages may indicate that threat actors plan to target more websites in different languages and its impact may become greater soon.