Fake Google Chrome Update deliver crypto stealing malware

[Jating]

A new way for this criminals to deliver their payload of crypto stealing malware know as Lumma and BitRat. This time the payload is being delivered to fake Google Chrome update as reported by Esentire.



Figure 1: Shows what the actual fake update website looks like

chatgpt-app[.]cloud site contains a download link to a Zip archive called ‘Update.zip’

And once the you have executed the zip file, it will download the payload to your system and then the code will look for the following string in your machine, like *Bitcoin, *Binance and almost everything related to crypto.

Code:

{
    "v": 1,
    "c": [
        {
            "t": 0,
            "p": "%userprofile%",
            "m": "*.txt",
            "z": "Important Files/Profile",
            "d": 1
        },
        {
            "t": 0,
            "p": "%userprofile%",
            "m": "*key*",
            "z": "Important Files/Profile",
            "d": 1
        },
        {
            "t": 0,
            "p": "%userprofile%",
            "m": "*bitcoin*",
            "z": "Important Files/Profile",
            "d": 3
        },
        {
            "t": 0,
            "p": "%userprofile%",
            "m": "*binance*",
            "z": "Important Files/Profile",
            "d": 3
        },
        {
            "t": 0,
            "p": "%userprofile%",
            "m": "*exodus*",
            "z": "Important Files/Profile",
            "d": 3
        },
        {
            "t": 0,
            "p": "%userprofile%",
            "m": "*coinbase*",
            "z": "Important Files/Profile",
            "d": 3
        },
        {
            "t": 0,
            "p": "%userprofile%",
            "m": "*wallet*",
            "z": "Important Files/Profile",
            "d": 3
        },
        {
            "t": 0,
            "p": "%userprofile%",
            "m": "*seed*",
            "z": "Important Files/Profile",
            "d": 3
        },
        {
            "t": 0,
            "p": "%userprofile%",
            "m": "*pass*",
            "z": "Important Files/Profile",
            "d": 3
        },
        {
            "t": 0,
            "p": "%userprofile%",
            "m": "*ledger*",
            "z": "Important Files/Profile",
            "d": 3
        },
        {
            "t": 0,
            "p": "%userprofile%",
            "m": "*trezor*",
            "z": "Important Files/Profile",
            "d": 3
        },
        {
            "t": 0,
            "p": "%userprofile%",
            "m": "*metamask*",
            "z": "Important Files/Profile",
            "d": 3
        },
        {
            "t": 0,
            "p": "%userprofile%",
            "m": "*crypto*",
            "z": "Important Files/Profile",
            "d": 1
        },
        {
            "t": 0,
            "p": "%appdata%\\Binance",
            "m": "app-store.json",
            "z": "Wallets/Binance",
            "d": 1
        },
        {
            "t": 0,
            "p": "%appdata%\\Binance",
            "m": ".finger-print.fp",
            "z": "Wallets/Binance",
            "d": 1
        },
        {
            "t": 0,
            "p": "%appdata%\\Binance",
            "m": "simple-storage.json",
            "z": "Wallets/Binance",
            "d": 1
        },
        {
            "t": 0,
            "p": "%appdata%\\Electrum\\wallets",
            "m": "*",
            "z": "Wallets/Electrum",
            "d": 1
        },
        {
            "t": 0,
            "p": "%appdata%\\Ethereum",
            "m": "keystore",
            "z": "Wallets/Ethereum",
            "d": 1
        },
        {
            "t": 0,
            "p": "%appdata%\\Exodus\\exodus.wallet",
            "m": "*",
            "z": "Wallets/Exodus",
            "d": 2
        },
        {
            "t": 0,
            "p": "%appdata%\\Ledger Live",
            "m": "*",
            "z": "Wallets/Ledger Live",
            "d": 2
        },
        {
            "t": 0,
            "p": "%appdata%\\atomic\\Local Storage\\leveldb",
            "m": "*",
            "z": "Wallets/Atomic",
            "d": 2
        },
        {
            "t": 0,
            "p": "%localappdata%\\Coinomi\\Coinomi\\wallets",
            "m": "*",
            "z": "Wallets/Coinomi",
            "d": 2
        },
        {
            "t": 0,
            "p": "%appdata%\\Authy Desktop\\Local Storage\\leveldb",
            "m": "*",
            "z": "Wallets/Authy Desktop",
            "d": 2
        },
        {
            "t": 0,
            "p": "%appdata%\\Bitcoin\\wallets",
            "m": "*",
            "z": "Wallets/Bitcoin core",
            "d": 2
        },
        {
            "t": 0,
            "p": "%appdata%\\com.liberty.jaxx\\IndexedDB",
            "m": "*.leveldb",
            "z": "Wallets/JAXX New Version",
            "d": 2
        },
        {
            "t": 0,
            "p": "%appdata%\\Electrum\\wallets",
            "m": "*",
            "z": "Wallets/Electrum",
            "d": 2
        },
        {
            "t": 0,
            "p": "%appdata%\\AnyDesk",
            "m": "*.conf",
            "z": "Applications/AnyDesk",
            "d": 2
        },
        {
            "t": 0,
            "p": "%appdata%\\FileZilla",
            "m": "recentservers.xml",
            "z": "Applications/FileZilla",
            "d": 2
        },
        {
            "t": 0,
            "p": "%appdata%\\FileZilla",
            "m": "sitemanager.xml",
            "z": "Applications/FileZilla",
            "d": 2
        },
        {
            "t": 0,
            "p": "%userprofile%",
            "m": "*.kbdx",
            "z": "Applications/KeePass",
            "d": 2
        },
        {
            "t": 0,
            "p": "%programfiles%\\Steam",
            "m": "ssfn*",
            "z": "Applications/Steam",
            "d": 2
        },
        {
            "t": 0,
            "p": "%programfiles%\\Steam\\config",
            "m": "*",
            "z": "Applications/Steam/config",
            "d": 2
        },
        {
            "t": 0,
            "p": "%appdata%\\Telegram Desktop",
            "m": "*s",
            "z": "Applications/Telegram",
            "d": 2
        },
        {
            "t": 1,
            "e": [
                {
                    "en": "ejbalbakoplchlghecdalmeeeajnimhm",
                    "ez": "MetaMask"
                },
                {
                    "en": "nkbihfbeogaeaoehlefnkodbefgpgknn",
                    "ez": "MetaMask"
                },
                {
                    "en": "egjidjbpglichdcondbcbdnbeeppgdph",
                    "ez": "Trust Wallet"
                },
                {
                    "en": "ibnejdfjmmkpcnlpebklmnkoeoihofec",
                    "ez": "TronLink"
                },
                {
                    "en": "fnjhmkhhmkbjkkabndcnnogagogbneec",
                    "ez": "Ronin Wallet"
                },
                {
                    "en": "fhbohimaelbohpjbbldcngcnapndodjp",
                    "ez": "Binance Chain Wallet"
                },
                {
                    "en": "ffnbelfdoeiohenkjibnmadjiehjhajb",
                    "ez": "Yoroi"
                },
                {
                    "en": "jbdaocneiiinmjbjlgalhcelgbejmnid",
                    "ez": "Nifty"
                },
                {
                    "en": "afbcbjpbpfadlkmhmclhkeeodmamcflc",
                    "ez": "Math"
                },
                {
                    "en": "hnfanknocfeofbddgcijnmhnfnkdnaad",
                    "ez": "Coinbase"
                },
                {
                    "en": "hpglfhgfnhbgpjdenjgmdgoeiappafln",
                    "ez": "Guarda"
                },
                {
                    "en": "blnieiiffboillknjnepogjhkgnoapac",
                    "ez": "EQUA"
                },
                {
                    "en": "cjelfplplebdjjenllpjcblmjkfcffne",
                    "ez": "Jaxx Liberty"
                },
                {
                    "en": "fihkakfobkmkjojpchpfgcmhfjnmnfpi",
                    "ez": "BitApp"
                },
                {
                    "en": "kncchdigobghenbbaddojjnnaogfppfj",
                    "ez": "iWlt"
                },
                {
                    "en": "kkpllkodjeloidieedojogacfhpaihoh",
                    "ez": "EnKrypt"
                },
                {
                    "en": "amkmjjmmflddogmhpjloimipbofnfjih",
                    "ez": "Wombat"
                },
                {
                    "en": "nlbmnnijcnlegkjjpcfjclmcfggfefdm",
                    "ez": "MEW CX"
                },
                {
                    "en": "nanjmdknhkinifnkgdcggcfnhdaammmj",
                    "ez": "Guild"
                },
                {
                    "en": "nkddgncdjgjfcddamfgcmfnlhccnimig",
                    "ez": "Saturn"
                },
                {
                    "en": "cphhlgmgameodnhkjdmkpanlelnlohao",
                    "ez": "NeoLine"
                },
                {
                    "en": "nhnkbkgjikgcigadomkphalanndcapjk",
                    "ez": "Clover"
                },
                {
                    "en": "kpfopkelmapcoipemfendmdcghnegimn",
                    "ez": "Liquality"
                },
                {
                    "en": "aiifbnbfobpmeekipheeijimdpnlpgpp",
                    "ez": "Terra Station"
                },
                {
                    "en": "dmkamcknogkgcdfhhbddcghachkejeap",
                    "ez": "Keplr"
                },
                {
                    "en": "fhmfendgdocmcbmfikdcogofphimnkno",
                    "ez": "Sollet"
                },
                {
                    "en": "cnmamaachppnkjgnildpdmkaakejnhae",
                    "ez": "Auro"
                },
                {
                    "en": "jojhfeoedkpkglbfimdfabpdfjaoolaf",
                    "ez": "Polymesh"
                },
                {
                    "en": "flpiciilemghbmfalicajoolhkkenfe",
                    "ez": "ICONex"
                },
                {
                    "en": "nknhiehlklippafakaeklbeglecifhad",
                    "ez": "Nabox"
                },
                {
                    "en": "hcflpincpppdclinealmandijcmnkbgn",
                    "ez": "KHC"
                },
                {
                    "en": "ookjlbkiijinhpmnjffcofjonbfbgaoc",
                    "ez": "Temple"
                },
                {
                    "en": "mnfifefkajgofkcjkemidiaecocnkjeh",
                    "ez": "TezBox"
                },
                {
                    "en": "lodccjjbdhfakaekdiahmedfbieldgik",
                    "ez": "DAppPlay"
                },
                {
                    "en": "ijmpgkjfkbfhoebgogflfebnmejmfbm",
                    "ez": "BitClip"
                },
                {
                    "en": "lkcjlnjfpbikmcmbachjpdbijejflpcm",
                    "ez": "Steem Keychain"
                },
                {
                    "en": "onofpnbbkehpmmoabgpcpmigafmmnjh",
                    "ez": "Nash Extension"
                },
                {
                    "en": "bcopgchhojmggmffilplmbdicgaihlkp",
                    "ez": "Hycon Lite Client"
                },
                {
                    "en": "klnaejjgbibmhlephnhpmaofohgkpgkd",
                    "ez": "ZilPay"
                },
                {
                    "en": "aeachknmefphepccionboohckonoeemg",
                    "ez": "Coin98"
                },
                {
                    "en": "bhghoamapcdpbohphigoooaddinpkbai",
                    "ez": "Authenticator"
                },
                {
                    "en": "dkdedlpgdmmkkfjabffeganieamfklkm",
                    "ez": "Cyano"
                },
                {
                    "en": "nlgbhdfgdhgbiamfdfmbikcdghidoadd",
                    "ez": "Byone"
                },
                {
                    "en": "infeboajgfhgbjpjbeppbkgnabfdkdaf",
                    "ez": "OneKey"
                },
                {
                    "en": "cihmoadaighcejopammfbmddcmdekcje",
                    "ez": "Leaf"
                },
                {
                    "en": "gaedmjdfmmahhbjefcbgaolhhanlaolb",
                    "ez": "Authy"
                },
                {
                    "en": "oeljdldpnmdbchonielidgobddfffla",
                    "ez": "EOS Authenticator"
                },
                {
                    "en": "ilgcnhelpchnceeipipijaljkblbcob",
                    "ez": "GAuth Authenticator"
                },
                {
                    "en": "imloifkgjagghnncjkhggdhalmcnfklk",
                    "ez": "Trezor Password Manager"
                },
                {
                    "en": "bfnaelmomeimhlpmgjnjophhpkkoljpa",
                    "ez": "Phantom"
                },
                {
                    "en": "ppbibelpcjmhbdihakflkdcoccbgbkpo",
                    "ez": "UniSat"
                }
            ],
            "n": [
                {
                    "p": "%localappdata%\\Google\\Chrome\\User Data",
                    "z": "Chrome"
                },
                {
                    "p": "%localappdata%\\Chromium\\User Data",
                    "z": "Chromium"
                },
                {
                    "p": "%localappdata%\\Microsoft\\Edge\\User Data",
                    "z": "Edge"
                },
                {
                    "p": "%localappdata%\\Kometa\\User Data",
                    "z": "Kometa"
                },
                {
                    "p": "%appdata%\\Opera Software\\Opera Stable",
                    "z": "Opera Stable"
                },
                {
                    "p": "%appdata%\\Opera Software\\Opera GX Stable",
                    "z": "Opera GX Stable"
                },
                {
                    "p": "%appdata%\\Opera Software\\Opera Neon\\User Data",
                    "z": "Opera Neon"
                },
                {
                    "p": "%localappdata%\\BraveSoftware\\Brave-Browser\\User Data",
                    "z": "Brave Software"
                },
                {
                    "p": "%localappdata%\\Comodo\\Dragon\\User Data",
                    "z": "Comodo"
                },
                {
                    "p": "%localappdata%\\CocCoc\\Browser\\User Data",
                    "z": "CocCoc"
                }
            ]
        },
        {
            "t": 2,
            "p": "%appdata%\\Mozilla\\Firefox\\Profiles",
            "z": "Mozilla Firefox"
        }
    ]
}

I think you guys knows the drill here, never downloaded any update from unknown source, simply practice that can really help us a lot crypto enthusiast.
And not to trust any download and verify everything before we click.

https://www.esentire.com/blog/the-case-of-lummac2-v4-0

[Felicity_Tide]

This is wild!!. My first time actually of coming across a malware that searches for words based on what the criminal intends to steal. I think this info should be a guide to avoid been a victim of crypto theft. Moreover, downloading any software from unknown sources is always discourage even by our own devices.

[un_rank]

Chrome and  every other website I have used updates themselves automatically every time. I always get a message that my device has been recently updated with the new features, never a "your device needs update message".

Everyone should stay vigilant and never keep their funds on an exchange or on a device they use often. Invest in a hardware wallet.

- Jay -

[Yamane_Keto]

The payload sends part of the data, as the wallet file is encrypted and the Binance data requires two-factor authentication, but since you downloaded an unknown application, it will most likely open some side doors that enable it to know the password or record the two-factor matching code when you enter it in the browser.



Using closed source Chromium browsers comes with similar risks and requires complete trust in the developers, so it is better to use open source browsers or Tor.

[Alphakilo]

This is good.

We'll keep on exposing them and hopefully reduce the number of people who will fall victim to them . On the other hand Chrome needs to take up responsibility to sort out these fake extensions that are malwares.

I still think that Tor browser is one of the best most security and equally private browsers out there.

[_act_]

I prefer to update the app directly from the app update link. Or the app itself consists of the malware link? I also make sure that I know the link the update would be downloaded from if not on application store.

Using closed source Chromium browsers comes with similar risks and requires complete trust in the developers, so it is better to use open source browsers or Tor.

Using open source apps are the best and close source ones are better to be avoided but bad hackers can create a malware for open or close source apps or software. What that is important is for us to avoid downloading the malware.

[Alpha Marine]

I think you guys knows the drill here, never downloaded any update from unknown source, simply practice that can really help us a lot crypto enthusiast.
And not to trust any download and verify everything before we click.

You can't be too careful these days. Only download apps from the store or their official website. Staying away from scams in crypto and in general, is not really as hard as people think. All you need to do is to be smart about whatever you do. You don't need to be a tech guru to avoid scams. Common sense should tell us that downloading apps from other sources is risky, especially apps that contain financial details, assets or personal information.
We can't go about clicking on any link we see.
It's good you created awareness about this, so people who don't know won't fall for it.

[ABCbits]

Figure 1: Shows what the actual fake update website looks like

chatgpt-app[.]cloud site contains a download link to a Zip archive called ‘Update.zip’

The domain name doesn't even sound similar to word "google" or "chrome", so it's crazy some people actually trust the fake website. Besides, Chrome and many other browser these days automatically update itself on background. Although usage of "run[.]app" reminds me of this report, https://blog.talosintelligence.com/google-cloud-run-abuse/.

The emails contain hyperlinks to Google Cloud Run, which can be identified due to the use of run[.]app as the top-level domain (TLD).

[Dave1]

I think you guys knows the drill here, never downloaded any update from unknown source, simply practice that can really help us a lot crypto enthusiast.
And not to trust any download and verify everything before we click.

You can't be too careful these days. Only download apps from the store or their official website. Staying away from scams in crypto and in general, is not really as hard as people think. All you need to do is to be smart about whatever you do. You don't need to be a tech guru to avoid scams. Common sense should tell us that downloading apps from other sources is risky, especially apps that contain financial details, assets or personal information.
We can't go about clicking on any link we see.
It's good you created awareness about this, so people who don't know won't fall for it.

Well others make it complicated, and I think it is. Because if it not, then we will not be a target and the numbers are ramping up every year if I'm not mistaken. When I joined the market it's like the scam is only bitcoin doubler.

But now it has evolved that it's really hard for us to distinguished and if we just slip, we will fall victims to this kind of attacks. So at least, very important not to click or we should be really thinking many times. Even in Google Play, there are a lot of fake websites too, so this world is not really safe for us and we shouldn't let our guards down.

[Alpha Marine]

But now it has evolved that it's really hard for us to distinguished and if we just slip, we will fall victims to this kind of attacks. So at least, very important not to click or we should be really thinking many times. Even in Google Play, there are a lot of fake websites too, so this world is not really safe for us and we shouldn't let our guard down.

On the contrary, I believe most scams are very easy to identify. Scammers are no longer creative. They just stick to what works for them. Just this morning a friend of mine in a different country sent me a screenshot of a WhatsApp message saying she should download a particular wallet and input a given seed phrase and she'll have access to 200 USDT. This has scam written all over it because first, what wallet gives away free  $200 and how can the seed phrase be already given before you download the wallet, but you'd be surprised to learn that people still fall for it. It's absurd.

I mean, I know that there are sophisticated scams that lead to hacks, but the popular scams these days are very easy to spot. It's very rare for somebody to fall into a scam if there were no red flags all along. The red flags are always there, we just have to be careful enough to spot them. It's pretty easy.

[Derek jnr2001]

Chrome and  every other website I have used updates themselves automatically every time. I always get a message that my device has been recently updated with the new features, never a "your device needs update message".

Everyone should stay vigilant and never keep their funds on an exchange or on a device they use often. Invest in a hardware wallet.

- Jay -

You're right this is my first time of seen something like this, moreover ever since I started making use of chrome i have not been asked to update my chrome, rather i always get a message from the Google that most of my device has been updated to the new version unlike as you said earlier. however scammers are gradually dominating everywhere in the internet this is why we need to be very careful with the kind of applications we download from google play store, because there are a lot of scam applications in google play store, More especially this crypto trading apps and also most of this crypto wallet. this is why for those who are still new in this crypto space before downloading any crypto wallet is very good to seek for opinion from those earlier investors, so that they can guide you on how to find the right crypto wallet, so as to avoid being a victim.

[Lucius]

The best way to prevent something like this from ever happening to you is to simply not use Chrome - because according to data from the beginning of the year, that browser is represented by as much as 65% among all other browsers, which means that fake updates target exactly that group of users.

If for some reason you don't want to use Tor (which is definitely recommended), one of the better choices is certainly Firefox. The message of this story is that if you are already in the world of cryptocurrencies, then adapt to it in the best possible way.

[albon]

Chrome is updated through the browser itself without downloading the latest version of the browser again, uninstalling the old version, or searching on Google for sites to download the browser update, which might be phishing sites containing exe files injected with trojans. By clicking on Settings and then on About Chrome, you can find information about the current version and then perform an automatic update. The same applies to Firefox. I believe that most browsers have this feature to install automatic updates as a security precaution for users to avoid potential fraud and hacking.

Every person must make sure that he uses official websites to download programs or browser extensions and avoid using the primary computer designated for cryptocurrencies, which contains important data, to download programs from unofficial websites, cracks, open suspicious links, and install unknown browser extensions. Such actions can pose a great threat to the user's privacy and result in being hacked.

[Doan9269]

I will advise that whenever we want to make an update on the apps being used, we should verify the source or means in which we are going to use for that purpose before using them, any link or third party website redirection should be what we have to take serious action against because they could be used to trap us in achieving their target by introducing malware to us, there are many fake updates and they can exist or come in different forms, we need to be more observant to know which is not good for us.

[Porfirii]

Just one more good reason to stop using Chrome. Efficiency is important for scammers, so they will prefer to focus on the leading OS, browsers, etc. to direct their attacks. Mainstream is not a guarantee of safety here...

Tor was mentioned above, although IMO it is not the most comfortable browser for everyday use. There are other good options in between, but in the end staying vigilant and double checking the sources from which you download everything is key.

[NotATether]

Just one more good reason to stop using Chrome. Efficiency is important for scammers, so they will prefer to focus on the leading OS, browsers, etc. to direct their attacks. Mainstream is not a guarantee of safety here...

This has nothing to do with Google and they could just as well go after Firefox on Windows users too.

The problem here is on Windows, there is no way you can verify that a program is signed by the entity it claims to be made by. At least Linux has PGP signatures and MacOS has Gatekeeper, but on Windows you can easily buy a code signing cert for $100 and impersonate any company you want and that is the end of the matter.

[Hewlet]

Chrome and  every other website I have used updates themselves automatically every time. I always get a message that my device has been recently updated with the new features, never a "your device needs update message".

Everyone should stay vigilant and never keep their funds on an exchange or on a device they use often. Invest in a hardware wallet.

- Jay -

That's true. Most of the browsers would auto update themselves and wouldn't give you access to most features if you refuse to update them and when you eventually do the update, you get to see somany features that almost seems as though they've all set up to deprive your privacy and get some sensitive data from you. The Chrome and other browsers case is different and even better but when it comes to what happens when you've updated most of these social media like Facebook and WhatsApp that now have built in AI, the guarantee of your security is as slime as nothing.

[Derek jnr2001]

The best way to prevent something like this from ever happening to you is to simply not use Chrome - because according to data from the beginning of the year, that browser is represented by as much as 65% among all other browsers, which means that fake updates target exactly that group of users.

If for some reason you don't want to use Tor (which is definitely recommended), one of the better choices is certainly Firefox. The message of this story is that if you are already in the world of cryptocurrencies, then adapt to it in the best possible way.

Actually i think that's a good recommendation Firefox is a good application for browsing and is highly recommended by most of the users, this is why most people prefer using Firefox instead of using Chrome. However Firefox was introduced in 2004 and they gain more popularity within a year, before the adoption of Google Chrome in 2008. However from my investigations i have come to realize that Google Chrome has gain more popularity over Firefox, this is why scammers are using them to attack people because they know that Google Chrome has gain a lot of users in their application.

[Yaunfitda]

Just one more good reason to stop using Chrome. Efficiency is important for scammers, so they will prefer to focus on the leading OS, browsers, etc. to direct their attacks. Mainstream is not a guarantee of safety here...

This has nothing to do with Google and they could just as well go after Firefox on Windows users too.

The problem here is on Windows, there is no way you can verify that a program is signed by the entity it claims to be made by. At least Linux has PGP signatures and MacOS has Gatekeeper, but on Windows you can easily buy a code signing cert for $100 and impersonate any company you want and that is the end of the matter.

And the thing is that 80% of us could still be using Windows as our OS, that's why many are still getting malwares and other trojans that steals our crypto holding. I really don't know why people are still into Windows, might be better to try other flavor of Unix or at least MacOS.

If we can hold thousands of dollars then why not invest on a good machine not using Windows? Really baffles me and then crypto users bitch around when they got hack because they didn't take care of their OS security.

[Luzin]

I brought this discussion to the local forum as well. Indeed, all hackers that I understand take advantage of user weaknesses. So the best we can do to prevent, some suggestions when discussing in local forums could be maybe using AdBlock, premium VPN, or DNS settings. One most important thing is never update your Chrome from any pop up, download from the official site. It's also probably (I got it here) the best advice to try is always go to settings-about- here you will find how to update your Chrome app.