The attack campaign became active in February 2023, targeting predominantly Japanese websites as well as some geared towards Korean and Spanish language ones.
Having moved beyond its Japanese locale, researchers suspect it may continue to spread, adapt, and evolve, warning other Internet users of the potential threats.
Compromised websites have JavaScript code that runs scripts to determine targets. Positive results lead to a page that warns of an “Update Exception.” It reads:
“An error occurred in Chrome automatic update. Please install the update package manually later, or wait for the next automatic update.”
The lack of urgency actually works in the favor of the threat actors, helping the malware scam to stand out less compared to other scams.
A .zip file disguised as the Chrome update is later installed, but instead of a legitimate Chrome update the file contains a Monero miner designed to mine the cryptocurrency at the expense of the victim’s CPU.
The miner excludes itself from Windows Defender settings, suspends Windows Update services, and rewrites host files to compromise threat detection tools like antivirus software, helping it to fly under the radar.
Showing no signs of stopping, the code is allegedly compatible with over 100 languages, which presents a potentially significant threat moving forward.
Alongside adequate malware removal, Internet users are advised not to download software from popups; instead they should revisit the page directly from the legitimate company’s website.
It’s also worth noting that Chrome typically handles updates via an in-built updater and there’s no need to download additional packages from a website.