Ornamental dots. Two rows of three dots. The top row is a light blue. The bottom row is one light blue dot followed by two orange dots. Blog

Sly Malware Found in Fake Google Chrome and MS Teams Installers

Sai Molige, Forescout Vedere Labs | September 26, 2024

Forescout’s Security Operations Center (SOC) recently investigated a malware incident on a customer’s network involving malware disguised as Google Chrome. During the investigation, we discovered the domain hosting the malware had been involved in similar attacks using fake Microsoft Teams and fake Microsoft Edge installers prompting a deeper look into the incidents.

As a result, we identified several new malware samples, domains and IP addresses, including Tactics, Techniques and Procedures (TTP), threat-hunting opportunities and detection strategies. The Indicators of Compromise (IoC) are also available on Forescout Vedere Labs’ threat feed.

The malware’s primary purpose is reconnaissance to gather user and network information for detailed profiles of potential targets. This information could serve as a foundation for more targeted future attacks ranging from deploying customized ransomware to installing remote access tools on individual systems. The threat actor may have dual objectives:

  1. Immediate monetization through the sale of harvested data and access
  2. Preparation for larger-scale cyberattacks (either to directly exploit high-value targets or sell access)

We are tracking this as a distinct cluster referred to as Chaya_002. The name ‘Chaya’ follows our naming convention for unknown threat clusters (it means ‘shadow’ in Sanskrit). By tracking this threat as Chaya_002, we can focus on its unique attributes and ongoing evolution. We are closely watching for new tactics or tools used by the threat actors to distinguish it from previously known malware clusters. For example, we have already identified changes in the threat actor’s delivery mechanisms — specifically in the malware’s file characteristics and storage.

Malware Activity Cluster: ‘Chaya_002’ Details and Characteristics

Unique Payload Characteristics

Chaya_002 has distinct payload and post-infection tactics worth investigating. The delivery, download and staging mechanisms resemble:

  • Scarlet Goldfinch
  • FakeSG
  • ClearFake
  • FakeUpdateRU
  • SocGholish

Evolving Functionality

As of September 23, the malware exhibited new behaviors, including:

  • Executes PowerShell commands from within MSIX bundles
  • Uses AutoIt scripts
  • Uses WMIC to gather domain information

Distinct Tool Usage

Unlike previous versions, this malware can download additional tools other than NetSupport RMM which showcases developing capabilities.

Progression in File Naming Conventions

Previously, files were named with patterns like:

Update_[date_components].js, Update_[random_numeric_string].[msix|exe]

or

[legitimate_software_name]_[random_numeric_string].exe.

Now, we observe a shift to names like

upd_[random_numeric_string].[exe|msix]

Transition in File Types

The malware payload has shifted from JavaScript files (.js) to executable formats (.msix, .exe) showing ongoing refinement in deployment and increasing its potential impact.

Diversification of File Path

The threat actor rotates through various WordPress directory structures to store malware:

  • wp-includes/[css|promo|uploads]
  • wp-admin/images
  • wp-includes/images/
  • wp-content/upgrades

Similar Malware Incidents Trigger Our Investigation

On September 20, the Canadian Centre for Cyber Security issued a TLP:AMBER cyber flash, “CF24-005 – Tactics, techniques and procedures associated with malware masquerading as an MS Teams installer”, in response to an incident that occurred on September 9.

The attack leveraged users’ tendency to search for Microsoft Teams via their Windows Start Menu. Instead of reaching the official Microsoft page, the user landed on an SEO poisoned page that prompted them to download what appeared to be MS Teams installer. Upon further investigation, the Cyber Centre discovered several TTPs associated with this attack, including password dumping, Kerberoasting, persistence through run keys, collection of user-specific information, and exfiltration via C2 Beacon.

The Cyber Centre’s investigation noted that the domain responsible for distributing this fake Teams installer was apple-online[.]shop.

A day earlier, on September 19, Forescout Security Operations Center (SOC) had blocked an access attempt to a suspicious domain, hxxps://tayakay[.]com/analytics.js. This domain was injecting a malicious JavaScript file into legitimate websites, in this case www[.]powerlineblog[.]com. The script then redirected users to a /js.php endpoint on the same domain, which initiated the download of a malicious file, upd_6259478.exe, from a compromised WordPress site (hxxps://airbluefootgear[.]com/wp-includes/images/xits.php).

The upd_6259478.exe executable runs the PowerShell command shown below, which downloads and runs another file, named ChromeSetup.exe, from a temporary folder. The source of this download was apple-online[.]shop – the same domain seen in the Canadian incident – which resolved to two IP addresses: 172.67.178[.]253 and 104.21.67[.]172.

Upon execution, upd_6259478.exe initiates network communication with the remote IP 217.148.142[.]19, a recurring element in this malware cluster. Multiple samples have been observed connecting to this IP, which was previously identified nearly three years ago as a Cobalt Strike command and control (C2) server.

In earlier versions of similar malware samples, we also observed the use of a PowerShell command to establish persistence by creating a .lnk file in the Windows Startup folder. This .lnk file pointed to the upd_* executable, ensuring it ran automatically at system startup. Additionally, all samples were observed querying system information about the infected machine, likely for reconnaissance purposes.

Most of the other TTPs observed in this customer incident were consistent with those identified by the Canadian Cyber Centre, with the exception of Kerberoasting. This discrepancy could be due to the fact that the executable was likely run in a sandbox environment that wasn’t domain-joined, which may have prevented Kerberoasting from being triggered. However, there was no explicit event to verify this.

Uncovering Further Malicious Activity in Fake Google Chrome and Fake MS ‘Setup’ Executables

Since both incidents originated from apple-online[.]shop, we pivoted off this domain to investigate the activity cluster behind them.

One notable observation was the submission of the URL apple-online[.]shop/MicrosoftEdgeSetup.exe (file hash: 7531341da720162541747b3142722f9c52d9d5fe57678d8aeefa62532014f672) to VirusTotal. This file, with a creation time of 2024-07-24 17:53:31 UTC carries a legitimate Microsoft signature. We hypothesize that the threat actors might be testing the file delivery mechanism.

Further VirusTotal analysis revealed several additional files uploaded between September 10 and September 21, 2024, all directly linked to this domain.

Nearly all files are digitally signed by of “Foshan Yongqiheng Trading Co., Ltd.” The metadata for each file—including copyright, product, description, internal name, and comments—reflects the name under which it was downloaded. Notably, the signing date aligns with the download date.

Other samples are signed by “Langfang Alkem Material Technology Co., Ltd.”, including those with the following hashes:

  • 42c1550b035353ae529e98304f89bf6065647833e582d08f0228185b493d0022
  • 8d911ef72bdb4ec5b99b7548c0c89ffc8639068834a5e2b684c9d78504550927
  • 92d2488e401d24a4bfc1598d813bc53af5c225769efedf0c7e5e4083623f4486
  • 941fa9119eb1413fdd4f05333e285c49935280cc85f167fb31627012ef71a6b3
  • aa25a7c2520da54ba2045a21de252632c93f8eae06e031091ab908dca4eadf45

The only file lacking a digital signature in the list shown above is 941fa9119eb1413fdd4f05333e285c49935280cc85f167fb31627012ef71a6b3

Regarding the tayakay[.]com domain, when a user visits the site that is embedded with tayakay[.]com  JS script, it constructs a query parameter containing victim information – such as device name, IP address and others – to send to the js.php endpoint.

By constructing a query in URLScan based on the observed characteristics, we identified additional pivot points exhibiting similar behavior. This investigation revealed an additional extension, “/adcount.js”, along with a mechanism that redirects users based on the returned content. According to URLScan results, approximately 87 domains currently have analytics.js embedded in their sites.

From previous samples, it is likely that these sites are using a Traffic Distribution System (TDS) which redirects users to another page—often another compromised WordPress site—that delivers fake executables embedded with malicious code.

By analyzing the file naming patterns, we uncovered several compromised WordPress pages, as well as second stage malware that was downloaded via PowerShell.

The threat actor employs multi-vector approach, with objectives of network infiltration and data acquisition. The end goal appears to be facilitating large-scale cyberattacks where feasible, through one or more of three phases:

  1. Initial Reconnaissance: Harvesting user-specific information, enabling the creation of target profiles. This data collection helps in subsequent attack phases.
  2. Mapping: Through domain querying techniques, the malware gains insights into the victim enterprise’s domain structure in domain-joined environments.
  3. Access Brokerage: The combination of harvested data and network access commands a high value. This information is likely monetized through sale to more sophisticated threat actors, potentially facilitating ransomware deployment in corporate networks or the installation of Remote Access Trojans (RATs) for further monetisation by third-party threat actors.

Threat Hunting Opportunities

Below is a sneak peek at a few examples using our structured approach to hypothesis generation, combining gathered intelligence, environmental context, and attacker mindset. At its core, the framework employs the A.P.E.X. model: Analyzing the environment (A), Profiling threats (P), Exploring anomalies (E), and considering X-factors (X).

  1. Based on the malware’s known tactics [P], we hypothesize that perpetrators may be attempting to gain initial access to a customer’s network through SEO-Poisoning when users Windows search returns web search results[P][E]. We expect to see evidence of installation of files with “Langfang Alkem Material Technology Co., Ltd.” OR “Foshan Yongqiheng Trading Co., Ltd.” digital signatures and other anomalous certificates that deviate from historical certificate usage patterns in the environment[A].

     

  2. Considering Powershell Usage [A], we hypothesize that threat actors [P] may use PowerShell to download malicious software from the internet [E]. We anticipate seeing network connections from PowerShell [E], suspicious PowerShell commands [E], PowerShell agents making network connection [E] and downloading potential malicious software [X].

     

  3. We hypothesize that, to maintain persistence, threat actors [P] may utilize PowerShell [X][E]. We expect to see signs of persistence through PowerShell’s usage of the wscript.shell COM interface for the creation or modification of .lnk files in the Startup folder [E] that deviate from typical .lnk file creation patterns [A].

     

  4. We hypothesize that threat actors [P] may utilize PowerShell to spawn browser processes as child processes [E] [X]. We expect to observe unusual parent-child relationships where PowerShell is the parent process of browser executables such as chrome.exe, firefox.exe, or msedge.exe [E]

     

  5. We hypothesize that threat actors [P] may leverage Kerberoasting attacks to compromise service account credentials in Active Directory environments [E]. We expect to observe attempts to request and obtain Kerberos TGS tickets for service principal names (SPNs) resulting in unusual timing or frequency of TGS requests[A][E]. This activity could potentially lead to unauthorized access and lateral movement within the network [X].

     

  6. We hypothesize that threat actors [P] may attempt to collect passwords and cookies stored in web browsers [E]. We expect to observe unusual processes or scripts accessing browser data storage locations [A][E]. We will establish a baseline of processes that normally access browser data locations [A], monitor for unusual file access patterns or data exfiltration attempts [E], and consider potential abuse of browser extensions for data collection [X].

     

  7. We hypothesize that threat actors [P] may use living-off-the-land binaries (LOLBins) to evade detection [E]. We expect to see unusual usage patterns of legitimate system utilities, particularly those capable of downloading files or executing code [A][E]. We will establish baselines for normal LOLBin usage in our environment [A] and monitor for deviations from these patterns [E].

Detection Opportunities

  • Monitor PowerShell activity:
    • Monitor PowerShell commands that indicate suspicious download and execution patterns, (e.g. Invoke-WebRequest, Invoke-Expression, Net.WebClient, Start-Process).
    • Track child processes spawned by PowerShell.exe, especially those executing from unusual directories, such as %TEMP% and %APPDATA%.
    • Analyze PowerShell filenames for high entropy, which can indicate obfuscation.
    • Correlate PowerShell activities, such as high-entropy filenames, suspicious download commands and unusual child processes to identify potential malicious activity.

     

  • Detect persistence mechanisms:
    • Monitor registry modifications in the Run and RunOnce keys (HKLM and HKCU)
    • Watch for new .lnk file creations in startup folders.
    • Analyze .lnk files for suspicious target paths, especially those pointing to %TEMP%, %APPDATA%, or other non-standard locations.
    • Correlate Run key modifications with the creation of .lnk files targeting suspicious paths.

     

  • Track execution chains:
    • Monitor the full chain of process creations, from initial execution to subsequent actions.
    • Correlate PowerShell or script executions with the creation and execution of binaries in unusual locations.
    • Track relationships between initial executions and subsequent persistence attempts on the same host or user account.
    • Look for multi-stage patterns: script execution followed by file download or file execution from unusual locations, followed by persistence establishment.

     

  • Correlate network and execution signals:
    • Monitor outbound network connections initiated by newly created or modified executables.
    • Correlate PowerShell download commands with subsequent local file creation and execution.
    • Track DNS queries and IP connections associated with script executions.
    • Correlate suspicious download activity, local file creation and outbound connection for higher confidence in detecting malicious activity.

     

  • Baseline users:
    • Establish baselines for normal user and system behavior.
    • Monitor for deviations in PowerShell usage, execution of wscript, cscript, Autoit, unusual file access patterns, and network connections from unexpected processes.
    • Correlate any deviating activities for further analysis.

     

  • Check signatures:
    • Look for files with suspicious digital signatures, particularly those signed by “Langfang Alkem Material Technology Co., Ltd.” or “Foshan Yongqiheng Trading Co., Ltd.”

MITRE ATT&CK TTPs

Tactic Technique
Initial Access T1608.006 – SEO Poisoning

T1189 – Drive-by Compromise

Execution T1059.001 – Command and Scripting Interpreter: PowerShell

T1204.001 – User Execution: Malicious Link
Command and Scripting Interpreter: AutoHotKey & AutoIT

Persistence T1547.001 – Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
Defense Evasion T1036 – Masquerading
T1055 – Process Injection
Credential Access T1003 – OS Credential Dumping

T1558.003 – Kerberos Tickets: Kerberoasting

Discovery T1082 – System Information Discovery
T1016 – System Network Configuration Discovery
Collection T1555 – Credentials from Password Stores
T1185 – Browser Cookie Theft
Command and Control T1071 – Application Layer Protocol
T1105 – Ingress Tool Transfer

 

Indicators of Compromise

The indicators of compromise below were observed as part of Chaya_002 activity cluster and can also be obtained from our threat feed.

  • 38.120[.]47
  • 148.142[.]19
  • 109.226[.]176
  • 114.97[.]3
  • chhimi[.]com/analytics.js
  • tayakay[.]com/analytics.js
  • e2sky[.]com/adcount.js
  • greyspartners[.]com/analytics.js
  • edveha[.]com/adcount.js
  • 0b77ec71318f52dbd1b71977307821118ce504e308ce6a2dac19e4854ef092b2
  • 183c57d9af82964bfbb06fbb0690140d3f367d46d870e290e2583659609b19f2
  • 22dc96b3b8ee42096c66ab08e255adce45e5e09a284cbe40d64e83e812d1b910
  • 28c49af7c95ab41989409d2c7f98e8f8053e5ca5f7a02b2a11ad4374085ec6ff
  • 2da62d1841a6763f279c481e420047a108da21cd5e16eae31661e6fd5d1b25d7
  • 33dfe8712aa2410c613fe45cc1e37382d38b67abbed5f4c0ed7da1be9afac64a
  • 342b889d1d8c81b1ba27fe84dec2ca375ed04889a876850c48d2b3579fbac206
  • 42c1550b035353ae529e98304f89bf6065647833e582d08f0228185b493d0022
  • 42d7135378ed8484a6a86a322ea427765f2e4ad37ee6449691b39314b5925a27
  • 43f4ca1c7474c0476a42d937dc4af01c8ccfc20331baa0465ac0f3408f52b2e2
  • 46aac6bf94551c259b4963157e75073cb211310e2afab7a1c0eded8a175d0a28
  • 4fa213970fdef39d2506a1bd4f05a7ceee191d916b44b574022a768356951a23
  • 57e9e1e3ebd78d4878d7bb69e9a2b0d0673245a87eb56cf861c7c548c4e7b457
  • 6464cdbfddd98f3bf6301f2bf525ad3642fb18b434310ec731de08c79e933b3e
  • 67b5b54c85e7590d81a404d6c7ea7dd90d4bc773785c83b85bcce82cead60c37
  • 700f1afeb67c105760a9086b0345cb477737ab62616fd83add3f7adf9016c5e5
  • 7683d38c024d0f203b374a87b7d43cc38590d63adb8e5f24dff7526f5955b15a
  • 77dc705cecbc29089c8e9eea3335ba83de57a17ed99b0286b3d9301953a84eca
  • 7b8d4b1ab46f9ad4ef2fd97d526e936186503ecde745f5a9ab9f88397678bc96
  • 7ea83cca00623a8fdb6c2d6268fa0d5c4e50dbb67ab190d188b8033d884e4b75

 

Go deeper. See all of Forescout Research – Vedere Labs threat and vulnerability reports.

Demo RequestForescout PlatformTop of Page