Attackers are utilizing hacked web sites that promote fake browser updates to infect targets with banking Trojans. In some cases, post exploitation toolkits are later executed to encrypt the compromised network with ransomware attack.
Between May and Sep 2019, FireEye has conducted multiple incident response cases where enterprise customers were infected with malware through fake browser updates.
Hacked sites would display these “fake-updates” through JavaScript alerts that state the user is using an old version of a web browser and that they should download an offered “update” to keep the browser running “smoothly and securely”.
When the update button is clicked, the site will download either an HTML application (HTA), JavaScript, or Zip archives with JavaScript files.
