Pages:
Author

Topic: Fake Google Chrome Update deliver crypto stealing malware - page 2. (Read 310 times)

legendary
Activity: 3234
Merit: 5637
Blackjack.fun-Free Raffle-Join&Win $50🎲
The best way to prevent something like this from ever happening to you is to simply not use Chrome - because according to data from the beginning of the year, that browser is represented by as much as 65% among all other browsers, which means that fake updates target exactly that group of users.

If for some reason you don't want to use Tor (which is definitely recommended), one of the better choices is certainly Firefox. The message of this story is that if you are already in the world of cryptocurrencies, then adapt to it in the best possible way.
jr. member
Activity: 31
Merit: 3
Chrome and  every other website I have used updates themselves automatically every time. I always get a message that my device has been recently updated with the new features, never a "your device needs update message".

Everyone should stay vigilant and never keep their funds on an exchange or on a device they use often. Invest in a hardware wallet.

- Jay -

You're right this is my first time of seen something like this, moreover ever since I started making use of chrome i have not been asked to update my chrome, rather i always get a message from the Google that most of my device has been updated to the new version unlike as you said earlier. however scammers are gradually dominating everywhere in the internet this is why we need to be very careful with the kind of applications we download from google play store, because there are a lot of scam applications in google play store, More especially this crypto trading apps and also most of this crypto wallet. this is why for those who are still new in this crypto space before downloading any crypto wallet is very good to seek for opinion from those earlier investors, so that they can guide you on how to find the right crypto wallet, so as to avoid being a victim.
sr. member
Activity: 756
Merit: 356
But now it has evolved that it's really hard for us to distinguished and if we just slip, we will fall victims to this kind of attacks. So at least, very important not to click or we should be really thinking many times. Even in Google Play, there are a lot of fake websites too, so this world is not really safe for us and we shouldn't let our guard down.

On the contrary, I believe most scams are very easy to identify. Scammers are no longer creative. They just stick to what works for them. Just this morning a friend of mine in a different country sent me a screenshot of a WhatsApp message saying she should download a particular wallet and input a given seed phrase and she'll have access to 200 USDT. This has scam written all over it because first, what wallet gives away free  $200 and how can the seed phrase be already given before you download the wallet, but you'd be surprised to learn that people still fall for it. It's absurd.

I mean, I know that there are sophisticated scams that lead to hacks, but the popular scams these days are very easy to spot. It's very rare for somebody to fall into a scam if there were no red flags all along. The red flags are always there, we just have to be careful enough to spot them. It's pretty easy.
hero member
Activity: 1526
Merit: 555
I think you guys knows the drill here, never downloaded any update from unknown source, simply practice that can really help us a lot crypto enthusiast.
And not to trust any download and verify everything before we click.

You can't be too careful these days. Only download apps from the store or their official website. Staying away from scams in crypto and in general, is not really as hard as people think. All you need to do is to be smart about whatever you do. You don't need to be a tech guru to avoid scams. Common sense should tell us that downloading apps from other sources is risky, especially apps that contain financial details, assets or personal information.
We can't go about clicking on any link we see.
It's good you created awareness about this, so people who don't know won't fall for it.

Well others make it complicated, and I think it is. Because if it not, then we will not be a target and the numbers are ramping up every year if I'm not mistaken. When I joined the market it's like the scam is only bitcoin doubler.

But now it has evolved that it's really hard for us to distinguished and if we just slip, we will fall victims to this kind of attacks. So at least, very important not to click or we should be really thinking many times. Even in Google Play, there are a lot of fake websites too, so this world is not really safe for us and we shouldn't let our guards down.
legendary
Activity: 2870
Merit: 7490
Crypto Swap Exchange
Figure 1: Shows what the actual fake update website looks like

Quote
chatgpt-app[.]cloud site contains a download link to a Zip archive called ‘Update.zip’

The domain name doesn't even sound similar to word "google" or "chrome", so it's crazy some people actually trust the fake website. Besides, Chrome and many other browser these days automatically update itself on background. Although usage of "run[.]app" reminds me of this report, https://blog.talosintelligence.com/google-cloud-run-abuse/.

The emails contain hyperlinks to Google Cloud Run, which can be identified due to the use of run[.]app as the top-level domain (TLD).
sr. member
Activity: 756
Merit: 356
I think you guys knows the drill here, never downloaded any update from unknown source, simply practice that can really help us a lot crypto enthusiast.
And not to trust any download and verify everything before we click.

You can't be too careful these days. Only download apps from the store or their official website. Staying away from scams in crypto and in general, is not really as hard as people think. All you need to do is to be smart about whatever you do. You don't need to be a tech guru to avoid scams. Common sense should tell us that downloading apps from other sources is risky, especially apps that contain financial details, assets or personal information.
We can't go about clicking on any link we see.
It's good you created awareness about this, so people who don't know won't fall for it.
legendary
Activity: 1064
Merit: 1298
Lightning network is good with small amount of BTC
I prefer to update the app directly from the app update link. Or the app itself consists of the malware link? I also make sure that I know the link the update would be downloaded from if not on application store.

Using closed source Chromium browsers comes with similar risks and requires complete trust in the developers, so it is better to use open source browsers or Tor.
Using open source apps are the best and close source ones are better to be avoided but bad hackers can create a malware for open or close source apps or software. What that is important is for us to avoid downloading the malware.
sr. member
Activity: 560
Merit: 265
This is good.

We'll keep on exposing them and hopefully reduce the number of people who will fall victim to them . On the other hand Chrome needs to take up responsibility to sort out these fake extensions that are malwares.

I still think that Tor browser is one of the best most security and equally private browsers out there.
hero member
Activity: 630
Merit: 510
The payload sends part of the data, as the wallet file is encrypted and the Binance data requires two-factor authentication, but since you downloaded an unknown application, it will most likely open some side doors that enable it to know the password or record the two-factor matching code when you enter it in the browser.



Using closed source Chromium browsers comes with similar risks and requires complete trust in the developers, so it is better to use open source browsers or Tor.
hero member
Activity: 644
Merit: 661
- Jay -
Chrome and  every other website I have used updates themselves automatically every time. I always get a message that my device has been recently updated with the new features, never a "your device needs update message".

Everyone should stay vigilant and never keep their funds on an exchange or on a device they use often. Invest in a hardware wallet.

- Jay -
full member
Activity: 252
Merit: 175
cout << "Bitcoin";
This is wild!!. My first time actually of coming across a malware that searches for words based on what the criminal intends to steal. I think this info should be a guide to avoid been a victim of crypto theft. Moreover, downloading any software from unknown sources is always discourage even by our own devices.
hero member
Activity: 2842
Merit: 772
A new way for this criminals to deliver their payload of crypto stealing malware know as Lumma and BitRat. This time the payload is being delivered to fake Google Chrome update as reported by Esentire.



Figure 1: Shows what the actual fake update website looks like

Quote
chatgpt-app[.]cloud site contains a download link to a Zip archive called ‘Update.zip’

And once the you have executed the zip file, it will download the payload to your system and then the code will look for the following string in your machine, like *Bitcoin, *Binance and almost everything related to crypto.

Code:
{
    "v": 1,
    "c": [
        {
            "t": 0,
            "p": "%userprofile%",
            "m": "*.txt",
            "z": "Important Files/Profile",
            "d": 1
        },
        {
            "t": 0,
            "p": "%userprofile%",
            "m": "*key*",
            "z": "Important Files/Profile",
            "d": 1
        },
        {
            "t": 0,
            "p": "%userprofile%",
            "m": "*bitcoin*",
            "z": "Important Files/Profile",
            "d": 3
        },
        {
            "t": 0,
            "p": "%userprofile%",
            "m": "*binance*",
            "z": "Important Files/Profile",
            "d": 3
        },
        {
            "t": 0,
            "p": "%userprofile%",
            "m": "*exodus*",
            "z": "Important Files/Profile",
            "d": 3
        },
        {
            "t": 0,
            "p": "%userprofile%",
            "m": "*coinbase*",
            "z": "Important Files/Profile",
            "d": 3
        },
        {
            "t": 0,
            "p": "%userprofile%",
            "m": "*wallet*",
            "z": "Important Files/Profile",
            "d": 3
        },
        {
            "t": 0,
            "p": "%userprofile%",
            "m": "*seed*",
            "z": "Important Files/Profile",
            "d": 3
        },
        {
            "t": 0,
            "p": "%userprofile%",
            "m": "*pass*",
            "z": "Important Files/Profile",
            "d": 3
        },
        {
            "t": 0,
            "p": "%userprofile%",
            "m": "*ledger*",
            "z": "Important Files/Profile",
            "d": 3
        },
        {
            "t": 0,
            "p": "%userprofile%",
            "m": "*trezor*",
            "z": "Important Files/Profile",
            "d": 3
        },
        {
            "t": 0,
            "p": "%userprofile%",
            "m": "*metamask*",
            "z": "Important Files/Profile",
            "d": 3
        },
        {
            "t": 0,
            "p": "%userprofile%",
            "m": "*crypto*",
            "z": "Important Files/Profile",
            "d": 1
        },
        {
            "t": 0,
            "p": "%appdata%\\Binance",
            "m": "app-store.json",
            "z": "Wallets/Binance",
            "d": 1
        },
        {
            "t": 0,
            "p": "%appdata%\\Binance",
            "m": ".finger-print.fp",
            "z": "Wallets/Binance",
            "d": 1
        },
        {
            "t": 0,
            "p": "%appdata%\\Binance",
            "m": "simple-storage.json",
            "z": "Wallets/Binance",
            "d": 1
        },
        {
            "t": 0,
            "p": "%appdata%\\Electrum\\wallets",
            "m": "*",
            "z": "Wallets/Electrum",
            "d": 1
        },
        {
            "t": 0,
            "p": "%appdata%\\Ethereum",
            "m": "keystore",
            "z": "Wallets/Ethereum",
            "d": 1
        },
        {
            "t": 0,
            "p": "%appdata%\\Exodus\\exodus.wallet",
            "m": "*",
            "z": "Wallets/Exodus",
            "d": 2
        },
        {
            "t": 0,
            "p": "%appdata%\\Ledger Live",
            "m": "*",
            "z": "Wallets/Ledger Live",
            "d": 2
        },
        {
            "t": 0,
            "p": "%appdata%\\atomic\\Local Storage\\leveldb",
            "m": "*",
            "z": "Wallets/Atomic",
            "d": 2
        },
        {
            "t": 0,
            "p": "%localappdata%\\Coinomi\\Coinomi\\wallets",
            "m": "*",
            "z": "Wallets/Coinomi",
            "d": 2
        },
        {
            "t": 0,
            "p": "%appdata%\\Authy Desktop\\Local Storage\\leveldb",
            "m": "*",
            "z": "Wallets/Authy Desktop",
            "d": 2
        },
        {
            "t": 0,
            "p": "%appdata%\\Bitcoin\\wallets",
            "m": "*",
            "z": "Wallets/Bitcoin core",
            "d": 2
        },
        {
            "t": 0,
            "p": "%appdata%\\com.liberty.jaxx\\IndexedDB",
            "m": "*.leveldb",
            "z": "Wallets/JAXX New Version",
            "d": 2
        },
        {
            "t": 0,
            "p": "%appdata%\\Electrum\\wallets",
            "m": "*",
            "z": "Wallets/Electrum",
            "d": 2
        },
        {
            "t": 0,
            "p": "%appdata%\\AnyDesk",
            "m": "*.conf",
            "z": "Applications/AnyDesk",
            "d": 2
        },
        {
            "t": 0,
            "p": "%appdata%\\FileZilla",
            "m": "recentservers.xml",
            "z": "Applications/FileZilla",
            "d": 2
        },
        {
            "t": 0,
            "p": "%appdata%\\FileZilla",
            "m": "sitemanager.xml",
            "z": "Applications/FileZilla",
            "d": 2
        },
        {
            "t": 0,
            "p": "%userprofile%",
            "m": "*.kbdx",
            "z": "Applications/KeePass",
            "d": 2
        },
        {
            "t": 0,
            "p": "%programfiles%\\Steam",
            "m": "ssfn*",
            "z": "Applications/Steam",
            "d": 2
        },
        {
            "t": 0,
            "p": "%programfiles%\\Steam\\config",
            "m": "*",
            "z": "Applications/Steam/config",
            "d": 2
        },
        {
            "t": 0,
            "p": "%appdata%\\Telegram Desktop",
            "m": "*s",
            "z": "Applications/Telegram",
            "d": 2
        },
        {
            "t": 1,
            "e": [
                {
                    "en": "ejbalbakoplchlghecdalmeeeajnimhm",
                    "ez": "MetaMask"
                },
                {
                    "en": "nkbihfbeogaeaoehlefnkodbefgpgknn",
                    "ez": "MetaMask"
                },
                {
                    "en": "egjidjbpglichdcondbcbdnbeeppgdph",
                    "ez": "Trust Wallet"
                },
                {
                    "en": "ibnejdfjmmkpcnlpebklmnkoeoihofec",
                    "ez": "TronLink"
                },
                {
                    "en": "fnjhmkhhmkbjkkabndcnnogagogbneec",
                    "ez": "Ronin Wallet"
                },
                {
                    "en": "fhbohimaelbohpjbbldcngcnapndodjp",
                    "ez": "Binance Chain Wallet"
                },
                {
                    "en": "ffnbelfdoeiohenkjibnmadjiehjhajb",
                    "ez": "Yoroi"
                },
                {
                    "en": "jbdaocneiiinmjbjlgalhcelgbejmnid",
                    "ez": "Nifty"
                },
                {
                    "en": "afbcbjpbpfadlkmhmclhkeeodmamcflc",
                    "ez": "Math"
                },
                {
                    "en": "hnfanknocfeofbddgcijnmhnfnkdnaad",
                    "ez": "Coinbase"
                },
                {
                    "en": "hpglfhgfnhbgpjdenjgmdgoeiappafln",
                    "ez": "Guarda"
                },
                {
                    "en": "blnieiiffboillknjnepogjhkgnoapac",
                    "ez": "EQUA"
                },
                {
                    "en": "cjelfplplebdjjenllpjcblmjkfcffne",
                    "ez": "Jaxx Liberty"
                },
                {
                    "en": "fihkakfobkmkjojpchpfgcmhfjnmnfpi",
                    "ez": "BitApp"
                },
                {
                    "en": "kncchdigobghenbbaddojjnnaogfppfj",
                    "ez": "iWlt"
                },
                {
                    "en": "kkpllkodjeloidieedojogacfhpaihoh",
                    "ez": "EnKrypt"
                },
                {
                    "en": "amkmjjmmflddogmhpjloimipbofnfjih",
                    "ez": "Wombat"
                },
                {
                    "en": "nlbmnnijcnlegkjjpcfjclmcfggfefdm",
                    "ez": "MEW CX"
                },
                {
                    "en": "nanjmdknhkinifnkgdcggcfnhdaammmj",
                    "ez": "Guild"
                },
                {
                    "en": "nkddgncdjgjfcddamfgcmfnlhccnimig",
                    "ez": "Saturn"
                },
                {
                    "en": "cphhlgmgameodnhkjdmkpanlelnlohao",
                    "ez": "NeoLine"
                },
                {
                    "en": "nhnkbkgjikgcigadomkphalanndcapjk",
                    "ez": "Clover"
                },
                {
                    "en": "kpfopkelmapcoipemfendmdcghnegimn",
                    "ez": "Liquality"
                },
                {
                    "en": "aiifbnbfobpmeekipheeijimdpnlpgpp",
                    "ez": "Terra Station"
                },
                {
                    "en": "dmkamcknogkgcdfhhbddcghachkejeap",
                    "ez": "Keplr"
                },
                {
                    "en": "fhmfendgdocmcbmfikdcogofphimnkno",
                    "ez": "Sollet"
                },
                {
                    "en": "cnmamaachppnkjgnildpdmkaakejnhae",
                    "ez": "Auro"
                },
                {
                    "en": "jojhfeoedkpkglbfimdfabpdfjaoolaf",
                    "ez": "Polymesh"
                },
                {
                    "en": "flpiciilemghbmfalicajoolhkkenfe",
                    "ez": "ICONex"
                },
                {
                    "en": "nknhiehlklippafakaeklbeglecifhad",
                    "ez": "Nabox"
                },
                {
                    "en": "hcflpincpppdclinealmandijcmnkbgn",
                    "ez": "KHC"
                },
                {
                    "en": "ookjlbkiijinhpmnjffcofjonbfbgaoc",
                    "ez": "Temple"
                },
                {
                    "en": "mnfifefkajgofkcjkemidiaecocnkjeh",
                    "ez": "TezBox"
                },
                {
                    "en": "lodccjjbdhfakaekdiahmedfbieldgik",
                    "ez": "DAppPlay"
                },
                {
                    "en": "ijmpgkjfkbfhoebgogflfebnmejmfbm",
                    "ez": "BitClip"
                },
                {
                    "en": "lkcjlnjfpbikmcmbachjpdbijejflpcm",
                    "ez": "Steem Keychain"
                },
                {
                    "en": "onofpnbbkehpmmoabgpcpmigafmmnjh",
                    "ez": "Nash Extension"
                },
                {
                    "en": "bcopgchhojmggmffilplmbdicgaihlkp",
                    "ez": "Hycon Lite Client"
                },
                {
                    "en": "klnaejjgbibmhlephnhpmaofohgkpgkd",
                    "ez": "ZilPay"
                },
                {
                    "en": "aeachknmefphepccionboohckonoeemg",
                    "ez": "Coin98"
                },
                {
                    "en": "bhghoamapcdpbohphigoooaddinpkbai",
                    "ez": "Authenticator"
                },
                {
                    "en": "dkdedlpgdmmkkfjabffeganieamfklkm",
                    "ez": "Cyano"
                },
                {
                    "en": "nlgbhdfgdhgbiamfdfmbikcdghidoadd",
                    "ez": "Byone"
                },
                {
                    "en": "infeboajgfhgbjpjbeppbkgnabfdkdaf",
                    "ez": "OneKey"
                },
                {
                    "en": "cihmoadaighcejopammfbmddcmdekcje",
                    "ez": "Leaf"
                },
                {
                    "en": "gaedmjdfmmahhbjefcbgaolhhanlaolb",
                    "ez": "Authy"
                },
                {
                    "en": "oeljdldpnmdbchonielidgobddfffla",
                    "ez": "EOS Authenticator"
                },
                {
                    "en": "ilgcnhelpchnceeipipijaljkblbcob",
                    "ez": "GAuth Authenticator"
                },
                {
                    "en": "imloifkgjagghnncjkhggdhalmcnfklk",
                    "ez": "Trezor Password Manager"
                },
                {
                    "en": "bfnaelmomeimhlpmgjnjophhpkkoljpa",
                    "ez": "Phantom"
                },
                {
                    "en": "ppbibelpcjmhbdihakflkdcoccbgbkpo",
                    "ez": "UniSat"
                }
            ],
            "n": [
                {
                    "p": "%localappdata%\\Google\\Chrome\\User Data",
                    "z": "Chrome"
                },
                {
                    "p": "%localappdata%\\Chromium\\User Data",
                    "z": "Chromium"
                },
                {
                    "p": "%localappdata%\\Microsoft\\Edge\\User Data",
                    "z": "Edge"
                },
                {
                    "p": "%localappdata%\\Kometa\\User Data",
                    "z": "Kometa"
                },
                {
                    "p": "%appdata%\\Opera Software\\Opera Stable",
                    "z": "Opera Stable"
                },
                {
                    "p": "%appdata%\\Opera Software\\Opera GX Stable",
                    "z": "Opera GX Stable"
                },
                {
                    "p": "%appdata%\\Opera Software\\Opera Neon\\User Data",
                    "z": "Opera Neon"
                },
                {
                    "p": "%localappdata%\\BraveSoftware\\Brave-Browser\\User Data",
                    "z": "Brave Software"
                },
                {
                    "p": "%localappdata%\\Comodo\\Dragon\\User Data",
                    "z": "Comodo"
                },
                {
                    "p": "%localappdata%\\CocCoc\\Browser\\User Data",
                    "z": "CocCoc"
                }
            ]
        },
        {
            "t": 2,
            "p": "%appdata%\\Mozilla\\Firefox\\Profiles",
            "z": "Mozilla Firefox"
        }
    ]
}

I think you guys knows the drill here, never downloaded any update from unknown source, simply practice that can really help us a lot crypto enthusiast.
And not to trust any download and verify everything before we click.

https://www.esentire.com/blog/the-case-of-lummac2-v4-0
Pages:
Jump to: