Fake browser upgrades propagate the upgraded WarmCookie virus.

A new 'FakeUpdate' effort aimed at users in France uses hijacked websites to display phony browser and application upgrades that spread a new version of the WarmCookie backdoor.

FakeUpdate is a cyberattack tactic employed by the threat group 'SocGolish', which compromises or builds false websites to display phony update prompts for a wide range of software, including web browsers, Java, VMware Workstation, WebEx, and Proton VPN.

When consumers click on phony update prompts that appear to be authentic, a malicious payload is downloaded, such as info-stealers, bitcoin drainers, RATs, and even ransomware.

Researchers at Gen Threat Labs detected the current effort, which saw the WarmCookie backdoor delivered as bogus Google Chrome, Mozilla Firefox, Microsoft Edge, and Java updates.

WarmCookie, initially identified by eSentire in mid-2023, is a Windows backdoor that has recently been deployed in phishing attacks utilizing false job offers as bait.

Its comprehensive capabilities include data and file theft, device profiling, application enumeration (via the Windows Registry), arbitrary command execution (via CMD), screenshot capture, and the ability to inject additional payloads onto the compromised system.

In the most recent campaign discovered by Gen Threat Labs, the WarmCookie backdoor has been enhanced with additional features such as launching DLLs from the temp folder and returning the output, as well as the ability to transfer and execute EXE and PowerShell files.

The infection was triggered by a phony browser update, which is common in FakeUpdate assaults. However, Gen Digital discovered a website where a fraudulent Java update was offered as part of this campaign.

The infection chain begins with the user clicking on a phony browser update alert, which activates JavaScript and downloads the WarmCookie installer, prompting the user to save the file.

When the bogus software update is completed, the malware does some anti-VM checks to ensure it is not operating on an analyst's environment before sending the newly infected system's fingerprint to the command and control (C2) server, where it awaits instructions.

Although Gen Threat Labs claims that the attackers use hacked websites in this campaign, several of the domains included in the IoC section, such as "edgeupdate[.]com" and "mozilaupgrade[.]com," appear to be purposefully chosen to fit the 'FakeUpdate' concept.

Remember that Chrome, Brave, Edge, Firefox, and all modern browsers are automatically updated when new versions become available.

A program restart may be required for an update to be implemented to the browser, however manually downloading and executing updater packages is never part of the update process and should be considered dangerous.

FakeUpdates frequently compromise respectable and otherwise trustworthy websites, so be wary of these pop-ups even if you're using a familiar platform.

Source: Bleeping Computer