Go to listing page

Attackers Exploiting Google Chrome on Windows 10 for UAC Bypass

Attackers Exploiting Google Chrome on Windows 10 for UAC Bypass
A malware campaign has been discovered targeting Windows 10 OS running on Chrome browsers. The attackers have used a technique called User Account Control (UAC) to bypass Windows cybersecurity protections.

The purpose of the campaign

Researchers from Rapid7 have first observed the ongoing malware campaign.
  • The objective of the campaign is to obtain sensitive data and steal cryptocurrency from the infected systems.
  • Hackers use a malicious file called HoxLuSfo.exe with obfuscated code to steal credentials. 
  • The malware targets and kills processes named Google, Microsoft Edge, and setu.

Understanding the UAC bypass

Attackers exploit a Disk Cleanup utility vulnerability in some versions of Windows 10 to bypass UAC. 
  • This allows a native scheduled task to run arbitrary code by tampering with the content of an environment variable.
  • The attackers have used a PowerShell command launched by a suspicious executable, HoxLuSfo[.]exe.

The attack chain

  • The attack starts with a targeted Chrome browser user visiting a malicious website and a browser ad service asking the user to take an action. 
  • Further, a victim is asked to allow the malicious site to send notification requests via the browser.
  • Once notifications are permitted, the victim is informed that their Chrome web browser should be updated. 

Additionally, Chrome browser history files reveal redirects to suspicious domains and other redirects before an initial infection.

Ending notes

This seems to be an advanced malware campaign, as the malware uses obfuscated code and bypasses UAC. Moreover, the campaign is financially motivated and aims to steal browser credentials and cryptocurrency. Experts recommend avoiding unknown sites and clicking on suspicious links.

Cyware Publisher