A new way for this criminals to deliver their payload of crypto stealing malware know as Lumma and BitRat. This time the payload is being delivered to fake Google Chrome update as reported by Esentire.
Figure 1: Shows what the actual fake update website looks likechatgpt-app[.]cloud site contains a download link to a Zip archive called ‘Update.zip’
And once the you have executed the zip file, it will download the payload to your system and then the code will look for the following string in your machine, like *Bitcoin, *Binance and almost everything related to crypto.
{
"v": 1,
"c": [
{
"t": 0,
"p": "%userprofile%",
"m": "*.txt",
"z": "Important Files/Profile",
"d": 1
},
{
"t": 0,
"p": "%userprofile%",
"m": "*key*",
"z": "Important Files/Profile",
"d": 1
},
{
"t": 0,
"p": "%userprofile%",
"m": "*bitcoin*",
"z": "Important Files/Profile",
"d": 3
},
{
"t": 0,
"p": "%userprofile%",
"m": "*binance*",
"z": "Important Files/Profile",
"d": 3
},
{
"t": 0,
"p": "%userprofile%",
"m": "*exodus*",
"z": "Important Files/Profile",
"d": 3
},
{
"t": 0,
"p": "%userprofile%",
"m": "*coinbase*",
"z": "Important Files/Profile",
"d": 3
},
{
"t": 0,
"p": "%userprofile%",
"m": "*wallet*",
"z": "Important Files/Profile",
"d": 3
},
{
"t": 0,
"p": "%userprofile%",
"m": "*seed*",
"z": "Important Files/Profile",
"d": 3
},
{
"t": 0,
"p": "%userprofile%",
"m": "*pass*",
"z": "Important Files/Profile",
"d": 3
},
{
"t": 0,
"p": "%userprofile%",
"m": "*ledger*",
"z": "Important Files/Profile",
"d": 3
},
{
"t": 0,
"p": "%userprofile%",
"m": "*trezor*",
"z": "Important Files/Profile",
"d": 3
},
{
"t": 0,
"p": "%userprofile%",
"m": "*metamask*",
"z": "Important Files/Profile",
"d": 3
},
{
"t": 0,
"p": "%userprofile%",
"m": "*crypto*",
"z": "Important Files/Profile",
"d": 1
},
{
"t": 0,
"p": "%appdata%\\Binance",
"m": "app-store.json",
"z": "Wallets/Binance",
"d": 1
},
{
"t": 0,
"p": "%appdata%\\Binance",
"m": ".finger-print.fp",
"z": "Wallets/Binance",
"d": 1
},
{
"t": 0,
"p": "%appdata%\\Binance",
"m": "simple-storage.json",
"z": "Wallets/Binance",
"d": 1
},
{
"t": 0,
"p": "%appdata%\\Electrum\\wallets",
"m": "*",
"z": "Wallets/Electrum",
"d": 1
},
{
"t": 0,
"p": "%appdata%\\Ethereum",
"m": "keystore",
"z": "Wallets/Ethereum",
"d": 1
},
{
"t": 0,
"p": "%appdata%\\Exodus\\exodus.wallet",
"m": "*",
"z": "Wallets/Exodus",
"d": 2
},
{
"t": 0,
"p": "%appdata%\\Ledger Live",
"m": "*",
"z": "Wallets/Ledger Live",
"d": 2
},
{
"t": 0,
"p": "%appdata%\\atomic\\Local Storage\\leveldb",
"m": "*",
"z": "Wallets/Atomic",
"d": 2
},
{
"t": 0,
"p": "%localappdata%\\Coinomi\\Coinomi\\wallets",
"m": "*",
"z": "Wallets/Coinomi",
"d": 2
},
{
"t": 0,
"p": "%appdata%\\Authy Desktop\\Local Storage\\leveldb",
"m": "*",
"z": "Wallets/Authy Desktop",
"d": 2
},
{
"t": 0,
"p": "%appdata%\\Bitcoin\\wallets",
"m": "*",
"z": "Wallets/Bitcoin core",
"d": 2
},
{
"t": 0,
"p": "%appdata%\\com.liberty.jaxx\\IndexedDB",
"m": "*.leveldb",
"z": "Wallets/JAXX New Version",
"d": 2
},
{
"t": 0,
"p": "%appdata%\\Electrum\\wallets",
"m": "*",
"z": "Wallets/Electrum",
"d": 2
},
{
"t": 0,
"p": "%appdata%\\AnyDesk",
"m": "*.conf",
"z": "Applications/AnyDesk",
"d": 2
},
{
"t": 0,
"p": "%appdata%\\FileZilla",
"m": "recentservers.xml",
"z": "Applications/FileZilla",
"d": 2
},
{
"t": 0,
"p": "%appdata%\\FileZilla",
"m": "sitemanager.xml",
"z": "Applications/FileZilla",
"d": 2
},
{
"t": 0,
"p": "%userprofile%",
"m": "*.kbdx",
"z": "Applications/KeePass",
"d": 2
},
{
"t": 0,
"p": "%programfiles%\\Steam",
"m": "ssfn*",
"z": "Applications/Steam",
"d": 2
},
{
"t": 0,
"p": "%programfiles%\\Steam\\config",
"m": "*",
"z": "Applications/Steam/config",
"d": 2
},
{
"t": 0,
"p": "%appdata%\\Telegram Desktop",
"m": "*s",
"z": "Applications/Telegram",
"d": 2
},
{
"t": 1,
"e": [
{
"en": "ejbalbakoplchlghecdalmeeeajnimhm",
"ez": "MetaMask"
},
{
"en": "nkbihfbeogaeaoehlefnkodbefgpgknn",
"ez": "MetaMask"
},
{
"en": "egjidjbpglichdcondbcbdnbeeppgdph",
"ez": "Trust Wallet"
},
{
"en": "ibnejdfjmmkpcnlpebklmnkoeoihofec",
"ez": "TronLink"
},
{
"en": "fnjhmkhhmkbjkkabndcnnogagogbneec",
"ez": "Ronin Wallet"
},
{
"en": "fhbohimaelbohpjbbldcngcnapndodjp",
"ez": "Binance Chain Wallet"
},
{
"en": "ffnbelfdoeiohenkjibnmadjiehjhajb",
"ez": "Yoroi"
},
{
"en": "jbdaocneiiinmjbjlgalhcelgbejmnid",
"ez": "Nifty"
},
{
"en": "afbcbjpbpfadlkmhmclhkeeodmamcflc",
"ez": "Math"
},
{
"en": "hnfanknocfeofbddgcijnmhnfnkdnaad",
"ez": "Coinbase"
},
{
"en": "hpglfhgfnhbgpjdenjgmdgoeiappafln",
"ez": "Guarda"
},
{
"en": "blnieiiffboillknjnepogjhkgnoapac",
"ez": "EQUA"
},
{
"en": "cjelfplplebdjjenllpjcblmjkfcffne",
"ez": "Jaxx Liberty"
},
{
"en": "fihkakfobkmkjojpchpfgcmhfjnmnfpi",
"ez": "BitApp"
},
{
"en": "kncchdigobghenbbaddojjnnaogfppfj",
"ez": "iWlt"
},
{
"en": "kkpllkodjeloidieedojogacfhpaihoh",
"ez": "EnKrypt"
},
{
"en": "amkmjjmmflddogmhpjloimipbofnfjih",
"ez": "Wombat"
},
{
"en": "nlbmnnijcnlegkjjpcfjclmcfggfefdm",
"ez": "MEW CX"
},
{
"en": "nanjmdknhkinifnkgdcggcfnhdaammmj",
"ez": "Guild"
},
{
"en": "nkddgncdjgjfcddamfgcmfnlhccnimig",
"ez": "Saturn"
},
{
"en": "cphhlgmgameodnhkjdmkpanlelnlohao",
"ez": "NeoLine"
},
{
"en": "nhnkbkgjikgcigadomkphalanndcapjk",
"ez": "Clover"
},
{
"en": "kpfopkelmapcoipemfendmdcghnegimn",
"ez": "Liquality"
},
{
"en": "aiifbnbfobpmeekipheeijimdpnlpgpp",
"ez": "Terra Station"
},
{
"en": "dmkamcknogkgcdfhhbddcghachkejeap",
"ez": "Keplr"
},
{
"en": "fhmfendgdocmcbmfikdcogofphimnkno",
"ez": "Sollet"
},
{
"en": "cnmamaachppnkjgnildpdmkaakejnhae",
"ez": "Auro"
},
{
"en": "jojhfeoedkpkglbfimdfabpdfjaoolaf",
"ez": "Polymesh"
},
{
"en": "flpiciilemghbmfalicajoolhkkenfe",
"ez": "ICONex"
},
{
"en": "nknhiehlklippafakaeklbeglecifhad",
"ez": "Nabox"
},
{
"en": "hcflpincpppdclinealmandijcmnkbgn",
"ez": "KHC"
},
{
"en": "ookjlbkiijinhpmnjffcofjonbfbgaoc",
"ez": "Temple"
},
{
"en": "mnfifefkajgofkcjkemidiaecocnkjeh",
"ez": "TezBox"
},
{
"en": "lodccjjbdhfakaekdiahmedfbieldgik",
"ez": "DAppPlay"
},
{
"en": "ijmpgkjfkbfhoebgogflfebnmejmfbm",
"ez": "BitClip"
},
{
"en": "lkcjlnjfpbikmcmbachjpdbijejflpcm",
"ez": "Steem Keychain"
},
{
"en": "onofpnbbkehpmmoabgpcpmigafmmnjh",
"ez": "Nash Extension"
},
{
"en": "bcopgchhojmggmffilplmbdicgaihlkp",
"ez": "Hycon Lite Client"
},
{
"en": "klnaejjgbibmhlephnhpmaofohgkpgkd",
"ez": "ZilPay"
},
{
"en": "aeachknmefphepccionboohckonoeemg",
"ez": "Coin98"
},
{
"en": "bhghoamapcdpbohphigoooaddinpkbai",
"ez": "Authenticator"
},
{
"en": "dkdedlpgdmmkkfjabffeganieamfklkm",
"ez": "Cyano"
},
{
"en": "nlgbhdfgdhgbiamfdfmbikcdghidoadd",
"ez": "Byone"
},
{
"en": "infeboajgfhgbjpjbeppbkgnabfdkdaf",
"ez": "OneKey"
},
{
"en": "cihmoadaighcejopammfbmddcmdekcje",
"ez": "Leaf"
},
{
"en": "gaedmjdfmmahhbjefcbgaolhhanlaolb",
"ez": "Authy"
},
{
"en": "oeljdldpnmdbchonielidgobddfffla",
"ez": "EOS Authenticator"
},
{
"en": "ilgcnhelpchnceeipipijaljkblbcob",
"ez": "GAuth Authenticator"
},
{
"en": "imloifkgjagghnncjkhggdhalmcnfklk",
"ez": "Trezor Password Manager"
},
{
"en": "bfnaelmomeimhlpmgjnjophhpkkoljpa",
"ez": "Phantom"
},
{
"en": "ppbibelpcjmhbdihakflkdcoccbgbkpo",
"ez": "UniSat"
}
],
"n": [
{
"p": "%localappdata%\\Google\\Chrome\\User Data",
"z": "Chrome"
},
{
"p": "%localappdata%\\Chromium\\User Data",
"z": "Chromium"
},
{
"p": "%localappdata%\\Microsoft\\Edge\\User Data",
"z": "Edge"
},
{
"p": "%localappdata%\\Kometa\\User Data",
"z": "Kometa"
},
{
"p": "%appdata%\\Opera Software\\Opera Stable",
"z": "Opera Stable"
},
{
"p": "%appdata%\\Opera Software\\Opera GX Stable",
"z": "Opera GX Stable"
},
{
"p": "%appdata%\\Opera Software\\Opera Neon\\User Data",
"z": "Opera Neon"
},
{
"p": "%localappdata%\\BraveSoftware\\Brave-Browser\\User Data",
"z": "Brave Software"
},
{
"p": "%localappdata%\\Comodo\\Dragon\\User Data",
"z": "Comodo"
},
{
"p": "%localappdata%\\CocCoc\\Browser\\User Data",
"z": "CocCoc"
}
]
},
{
"t": 2,
"p": "%appdata%\\Mozilla\\Firefox\\Profiles",
"z": "Mozilla Firefox"
}
]
}
I think you guys knows the drill here, never downloaded any update from unknown source, simply practice that can really help us a lot crypto enthusiast.
And not to trust any download and verify everything before we click.
https://www.esentire.com/blog/the-case-of-lummac2-v4-0