Several websites, including news sites, blogs, online stores, and adult sites, have been compromised with scripts enabling fraudulent Google Chrome automatic update prompts that facilitate malware distribution, BleepingComputer reports.
Malicious JavaScript code is being sent to commence the attack, which will be followed by subsequent downloads of additional scripts, whose origins have been obfuscated by the usage of the Pinata InterPlanetary File System service, a report from NTT showed.
Fake Google Chrome error screens indicating a required automatic update will then trigger the download of a 'release.zip' file that has a Monero miner, which leverages the bring your own vulnerable driver technique to facilitate WinRing0x64.sys vulnerability exploitation and acquisition of SYSTEM privileges.
Aside from including scheduled tasks and conducting Windows Defender exclusions, the Monero miner also halts Windows Update and disables antivirus systems before connecting to xmr.2miners[.]com, which is then followed by Monero mining.
Such an attack could be prevented by avoiding security update downloads from third-party sites.
Google has moved to strengthen Kernel-based Virtual Machine hypervisor security with the introduction of the new kvmCTF vulnerability reward program, reports BleepingComputer.
Attackers have leveraged trojanized versions of Indian software provider Conceptworld's installers for its Copywhiz, Notezilla, and RecentX programs to facilitate the delivery of information-stealing malware, The Hacker News reports.
Defense and manufacturing organizations across South Korea have been subjected to attacks deploying the new Xctdoor malware through a hacked South Korean enterprise resource planning software update server, echoing a technique previously leveraged by North Korean state-sponsored advanced persistent threat operation and Lazarus Group sub-cluster Andariel to facilitate the delivery of the HotCroissant and Riffdoor backdoors, according to The Register.