Fake Browser Updates delivering BitRAT and Lumma Stealer

Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.

We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware.

Our Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced Threat Analytics driven by our Threat Response Unit – the TRU team.

In TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We outline how we responded to the confirmed threat and what recommendations we have going forward.

Here’s the latest from our TRU Team…

What did we find?

In May 2024, eSentire’s Threat Response Unit (TRU) detected an instance of fake updates delivering BitRAT and Lumma Stealer.

Fake browser updates have been responsible for numerous malware infections, including those of the well-known SocGholish malware. In April 2024, we observed FakeBat being distributed via similar fake update mechanisms.

The infection chain began when the user visited an infected webpage containing injected malicious JavaScript code (Figure 1).

Figure 1: Fake Chrome update

Upon loading the compromised page, the injected malicious JavaScript code is triggered, which directs the user to the fake update page (Figure 2). After cleaning up the code, we found redirect code hidden within the JavaScript (Figure 3). The redirected site can only be accessed if the HTTP referrer matches the original malicious web page.

Figure 2: Injected malicious JavaScript code
Figure 3: Redirect site hidden within the JavaScript

The chatgpt-app[.]cloud site contains a download link to a Zip archive called ‘Update.zip’, which is automatically downloaded onto the victim’s device. The archive is hosted on Discord’s Content Distribution Network (CDN) (Figure 4).

Figure 4: Download of Update.zip from Discord’s CDN

Fake Update

The fake browser update lure has become common amongst attackers as a means of entry to a device or network. The JavaScript file (Update.js) contained within the ZIP archive acts as an initial downloader to retrieve the payloads once executed by the victim. The archive contains several PowerShell scripts responsible for downloading and executing the next stage loader and payloads from http://77[.]221[.]151[.]31.

In the incident observed, there were multiple PowerShell scripts following the execution of Update.js, as seen in Figure 5 below:

Figure 5: PowerShell script retrieving payload file

The IP address identified in the PowerShell script is a known BitRAT Command-and-Control (C2) address, which hosts both the BitRAT and Lumma Stealer payloads. The files have the extension .png, but contain the loader, persistence mechanisms, and the payloads.

There were four unique files identified in this attack, all of which serve different purposes:

  • s.png – Loader + Lumma Stealer payload
  • z.png – PowerShell script that creates runkey for persistence + downloads Loader + BitRAT payload
  • a.png – Loader + BitRAT payload
  • 0x.png – BitRAT persistence file that redownloads a.png and executes it

Starting with z.png, the PowerShell script bypasses AMSI, renames the payload 0x.png to 0x.log, hides it in the C:UsersPublic directory, and sets it to run at startup by modifying the Registry Run Key. It also retrieves and executes a.png, the loader and BitRAT payload (Figure 6).

Figure 6: z.png retrieving 0x.png and a.png

The 0x.log (0x.png) payload contains an additional PowerShell script which acts as a persistence mechanism for the BitRAT payload file, a.png. The 0x.log file downloads a.png and executes it (Figure 7).

Figure 7: 0x.png downloads and executes a.png via PowerShell

The two files containing the malicious payloads a.png and s.png include an AMSI bypass, the code that leverages reflection in .NET to dynamically load and execute the payload within RegSvcs.exe process (Figure 8).

Figure 8: Simplified version of a.png showing the AMSI bypass and loading

Loader

There are two parts to the payload files, a.png and s.png – the loader portion and the payload. The loader mechanism appears to be almost the same in both files; the only difference seems to be the hash itself.

The loader is a .NET portable executable (PE) file, obfuscated using Crypto Obfuscator (5.x). The loader is tasked with loading the decrypted payload binary from the files PowerShell script and injecting it into RegSvcs.exe (Figure 9).

Figure 9: The deobfuscated loader

BitRAT

BitRAT is a feature-rich remote access tool with capabilities such as two modes of connections (direct reverse connection and Tor connection), UAC exploit for elevated privileges, process protection, and the ability to manage over 10,000 clients efficiently.

It offers a binder that binds up to 5 files, a remote browser feature supporting Chrome, password recovery for various applications, XMR miner for cryptocurrency mining, reverse proxy using SOCKS4 mode, remote desktop access, webcam live feed, file manager with zip compression, keylogger functions, audio live feed, and SOCKS5 proxy support.

The BitRAT sample analyzed in this case was UPX packed and contained an encrypted configuration. The configuration data is decrypted using the following steps:

  1. First, a decoded string is loaded to memory.
  2. A second string is loaded to memory to which the first string is appended.
  3. The CRC-32 hash is generated for the string to which 8 is added.
  4. An MD5 hash is generated from the lowercase version of the previously generated hash.
  5. The first 16 characters from the MD5 hash are utilized as the key for the Camellia decryption routine.
  6. The decryption routine with the same key is used for decryption of every encrypted string in the binary.

The decrypted configuration:

  • Host: 77.221.151[.]31
  • Port: 4444
  • Tor Process Name: Tor
  • Install Directory: 0
  • Install File: 0
  • Password: 7b13ff385b95cf25d53088d6b7c5d890

Lumma Stealer

Lumma Stealer, also known as LummaC2 Stealer, is an information stealing malware developed in C language. It has been operating as a Malware-as-a-Service in Russian-speaking forums since August 2022. Created by the threat actor “Shamel” using the alias “Lumma”, this malware targets cryptocurrency wallets, 2FA browser extensions, and other sensitive data on victims’ machines.

The stolen data is sent to a C2 server via HTTP POST requests with the user agent beginning with “Mozilla/5.0”. Additionally, Lumma Stealer includes a non-resident loader capable of deploying further malicious payloads in EXE, DLL, and PowerShell formats.

This article will focus solely on the major sections of Lumma Stealer, as eSentire has previously covered it in detail.

There are notable strings found in Lumma Stealer’s C2 communication, including the version and Lumma ID (lid), also referred to as the build ID, which uniquely identifies Lumma (Figure 10).

Figure 10: Notable strings in Lumma Stealer Payload

The payload includes the user-agent used by the malware (Figure 11).

Figure 11: User-agent field found in malware config

Another parameter, “act,” reveals that it has been initialized with the value “life,” used to check-in with the C2 (Figure 12).

Figure 12: C2 check-in string

The sample contains 9 embedded domains used for C2 communications, seen as base64 encoded strings in Figure 13, left. During runtime, the C2 domains are extracted using the routine shown in Figure 13 and described below.

Figure 13: Encrypted C2 Strings (left) Decryption Routine (right)

The C2 domain list decryption function is outlined as follows:

  1. First, a base64 string from the above is loaded into memory.
  2. This string then undergoes a base64 decode operation and the resulting bytes are stored in a buffer.
  3. The key is present at an offset 0x20 from the start of the previous buffer.
  4. This key is then used to XOR the buffer which reveals the C2 domains.

We have released a script that performs these operations for the above strings and produces the C2 domains, which is available here.

The decrypted configuration includes the following C2 domains:

  • demonstationfukewko[.]shop
  • liabilitynighstjsko[.]shop
  • alcojoldwograpciw[.]shop
  • incredibleextedwj[.]shop
  • shortsvelventysjo[.]shop
  • shatterbreathepsw[.]shop
  • tolerateilusidjukl[.]shop
  • productivelookewr[.]shop
  • accountasifkwosov[.]shop

The use of fake updates to deliver a variety of malware displays the operator’s ability to leverage trusted names to maximize reach and impact. The .NET loader being the same in both payload files shows the likelihood of the fake update loader being a malware delivery service. The malware payload is likely interchangeable and will result in a variety of different types being loaded in similar incidents in the future.

What did we do?

Our 24/7 SOC Cyber Analysts investigated the suspicious activities, notified the client, and isolated the affected device.

What can you learn from this TRU Positive?

  • Fake browser update campaigns use sophisticated social engineering tactics by mimicking legitimate browser update prompts that match the user’s browser type and language.

    • This targeted approach indicates the need for increased user awareness about the authenticity of update notifications and the sources from which updates are downloaded.
  • BitRAT and Lumma Stealer were the final payloads during this incident, although it is likely other malware may be loaded in future deliveries.

    • These final payloads allow attackers to perform reconnaissance, steal sensitive data, and provide remote access to the infected host.

Recommendations from our Threat Response Unit (TRU):

Indicators of Compromise

You can access the indicators of compromise here.

Source: Original Post