If you visit a website and are advised that you need to update Google Chrome, do not download the update. A campaign has been identified that is using fake Google Chrome updates to trick web visitors into downloading and installing malware.
The hacking group is targeting news websites and corporate sites running WordPress and injecting malicious JavaScript code that redirects visitors to landing pages on malicious websites that claim Google Chrome requires updating.
Legitimate WordPress sites are hacked by exploiting critical vulnerabilities and zero-day flaws in WordPress and WordPress plugins. The attackers then create new admin accounts and plant backdoors allowing persistent access. The campaign is targeting individuals in the United States, United Kingdom, Canada, Australia, Israel and Turkey.
The JavaScript redirects users to landing pages on phishing websites that look legitimate and include the Google Chrome logo and Google branding. The pages tell visitors to “Download Update for Google Chrome,” however, the download is being used to install a backdoor and malware downloader, which will install secondary payloads such as the X-Key keylogger, the Predator the Thief information stealer, and a Trojan that allows remote control via the RDP protocol, according to researchers at the Doctor Web virus laboratory who identified the campaign.
Two malware installers are used in this campaign named Critical_Update.exe and Update.exe. Together they have already been downloaded more than 2,500 times. The installers have valid digital certificates, which are identical to those uses in another campaign conducted by the same group that used a fake NordVPN installer to install the Bolik banking Trojan. In that campaign, the legitimate NordVPN client was also installed to make it appear that the installer was genuine.
If you want to check whether you are running the latest version of Google Chrome, open the Google Chrome Menu, click Help > About Google Chrome. Google Chrome will then check to see if an update is available.