To make the attack more convincing, the attackers create a full-screen animation that mimics the appearance of a legitimate Windows update. They rely on the user’s web browser to execute the animation, making it appear as if the update is happening within the browser itself.
The fake security update file, named ChromeUpdate[.]exe, utilizes a loader known as Invalid Printer, which is designed to be undetectable by most anti-malware engines. The loader checks if the host system is running on a virtual machine or sandbox environment and, if not, proceeds to unpack and run the Aurora information stealer.
The threat actor behind this operation is focused on creating tools that can evade detection by anti-malware systems. They frequently upload new samples of their malware to platforms like VirusTotal to test their evasion capabilities.
Additionally, the attackers employ an Amadey panel, a tool known for reconnaissance and malware-loading purposes. It appears they have also used this panel to run tech support scams in Ukraine.
To protect against such attacks, organizations can implement ad-blocking solutions to prevent malicious ads from being displayed. This can significantly reduce the chances of users encountering these malicious ads in the first place.
Furthermore, the security firm involved in the investigation has provided a technical analysis of the malware, including its behavior and indicators of compromise (IOCs). Organizations can use this information to strengthen their defenses and proactively identify and mitigate potential threats associated with this particular malware variant.
If you need to increase your security levels then you can schedule an assessment here.