Thousands Targeted Through Fake Google Updates That Hackers Pushed Via Compromised WordPress Sites

  • Designed to imitate a legitimate Google Chrome update page, attackers instruct potential victims on the page to download an update for the browser.
  • Researchers suspect the same group was also behind using a fake NordVPN website to infect targets with the Bolik banking Trojan.

What happened?
Being one of the most popular website builders, WordPress-based sites are of much interest to the hacker groups. Recently, a notorious group was spotted exploiting WordPress-based corporate sites and news blogs to deliver backdoor malware disguised as Google Chrome updates.

  • The fake Chrome updates come in the form of two malicious installers named Critical_Update.exe and Update.exe.
  • The former was downloaded over 2290 times since being added to the host bitbucket repository.
  • The latter was downloaded over 300 times within just a few hours of being reported.

How does it work?
As per researchers, hackers use the backdoor malware to drop several second-stage payloads such as keyloggers, info stealers, and trojans.

  • Hackers first attempt to gain admin access to compromised websites.
  • Then they inject malicious JS code that automatically redirects visitors to phishing sites controlled by them.
  • Designed to imitate a legitimate Google Chrome update page, attackers instruct potential victims on the page to download an update for the browser.
  • The targets instead download malware payloads which further allow the operators to take control of computer systems remotely.
  • The malware script lets attackers bypass the Windows built-in antivirus.

Background on the group
The group has previously spread a fake installer of the popular VSDC video editor via the CNET software platform and its official website.
Researchers suspect the same group was also behind using a fake NordVPN website to infect targets with the Bolik banking Trojan.
Even before that, the hackers were delivering the final payloads (a banking trojan and the KPOT info stealer) using compromised systems.

Later, the group turned to a more complex infection involving a backdoor.

The researchers said, "Target selection is based on geolocation and browser detection. The target audience is users from the USA, Canada, Australia, Great Britain, Israel, and Turkey, using the Google Chrome browser.”

Why more safety is needed?
Looking at the number of attempts being made, attacks aiming to take control of WordPress websites are becoming a norm. 

  • Hackers mostly exploit recently patched or zero-day vulnerabilities in website plugins. It gives them the key to siege hundreds of thousands of sites.
  • An incident was reported in January this year wherein hackers compromised over 2,000 websites. 
  • Attackers have even tried to fully compromise or wipe WordPress sites by exploiting unpatched versions of plugins.