A malware campaign has been discovered targeting Windows 10 OS running on Chrome browsers. The attackers have used a technique called User Account Control (UAC) to bypass Windows cybersecurity protections.
The purpose of the campaign
Researchers from Rapid7 have first observed the ongoing malware campaign.
The objective of the campaign is to obtain sensitive data and steal cryptocurrency from the infected systems.
Hackers use a malicious file called HoxLuSfo.exe with obfuscated code to steal credentials.
The malware targets and kills processes named Google, Microsoft Edge, and setu.
Understanding the UAC bypass
Attackers exploit a Disk Cleanup utility vulnerability in some versions of Windows 10 to bypass UAC.
This allows a native scheduled task to run arbitrary code by tampering with the content of an environment variable.
The attackers have used a PowerShell command launched by a suspicious executable, HoxLuSfo[.]exe.
The attack chain
The attack starts with a targeted Chrome browser user visiting a malicious website and a browser ad service asking the user to take an action.
Further, a victim is asked to allow the malicious site to send notification requests via the browser.
Once notifications are permitted, the victim is informed that their Chrome web browser should be updated.
Additionally, Chrome browser history files reveal redirects to suspicious domains and other redirects before an initial infection.
This seems to be an advanced malware campaign, as the malware uses obfuscated code and bypasses UAC. Moreover, the campaign is financially motivated and aims to steal browser credentials and cryptocurrency. Experts recommend avoiding unknown sites and clicking on suspicious links.