FakeUpdateRU Malware tricks users into downloading Trojan


Fake browser update messages have been making headlines for years. However, researchers have discovered a variant of the old malware called FakeUpdateRU, which is now being used on fake websites to trick users.

This fraudulent browser update scam involves Google Chrome, which appears on some websites that are also created or infected by fraudsters.

This FakeUpdate malware installs a remote access Trojan on user’s systems, often paving the way to Ransomware attacks.

The FakeUpdateRU variant noted in a Sucuri Blog highlighted previously found campaigns involving fake Chrome updates.

FakeUpdateRU prompts for Chrome update

The new FakeUpdateRU variant was found on a host of infected websites but was patched by Google.

Fraudulent web page to deceive users (Photo: Sucuri Blog)

Google has blocked most domain hosting the fake Chrome update malware preventing the spread of FakeUpdateRU malware.

Here are the results of the FakeUpdateRU malware –

  1. Malware overwrites index.php file to display theme on website
  2. The fraudulent Navigator The update scam also works on WordPress Websites
  3. Malware replaces web page content with newer content
  4. The scammers have designed the landing pages to look like real Google pages
  5. THE cloned pages were designed by copying the British English version from Google’s website

Static resource files created by the fake browser developers update scam had Russian suffixes.

The Sucuri blog adds to this finding: “Since the bad actor’s browser was localized to Russian, the static resource files had Russian suffixes. For example, /assets/analytics.js.Без названия, where “Без названия” means “No name”.

This fake browser update scam might work for other browsers, including Firefox and Safari.

To deceive users, the genuine content of the Google page was modified with specific keywords. An example was to replace the word Download with Update.

After a user clicks on the Update option, the malware is downloaded.

These were the authentic-looking domains used by scammers to appear legitimate:

  1. chromeengine(.)space
  2. chrometxt(.)space
  3. basechrome(.)space
  4. place engine(.)site
  5. browser engine(.)online

The domains were recently registered, within the last two weeks.

Bypass Google blocking to continue fooling users

Alert displayed on pages reported by Google (Photo: Sucuri Blog)

Although Google blocked the malicious domains, the malware was found to have been reworked by the developers.

The researchers added that the malware bypasses Google’s measures by creating a direct link to the drive-by download on other active websites they have access to.

This hides Google’s warning, but makes infecting individual websites a requirement for fraudsters. Newer versions of FakeUpdateRU malware also remove most Russian-language comments from the HTML code of fake update pages.

Background on Malware and Fraudulent Browser Update Scams SocGhoslish

The fraudulent browser update scam involves users receiving a message stating that they are using an older version of Chrome. However, the malware can also display modified messages for other browsers. It has been in use since 2017 and is distributed through dubious websites.

Previously observed fake Chrome update page (Photo: Sucuri Blog)

The malware previously found was called FakeUpdates or SocGhoslishin 2022. Users were redirected to infected websites from a page, which would trick them into installing the malware disguised as a browser update.

FakeUpdate or SocGhoslish malware was found on more than 61,000 web pages in 2021 and on more than 25,000 the following year through August.

Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only and users take full responsibility for their reliance on it. THE Cyber Express assumes no responsibility for the accuracy or consequences of the use of this information.

Leave a comment