Insidious Infostealer Malware Pwns Chrome Users And Bypasses Windows User Account Control
Recently, the Rapid7 Managed Detection and Response team detected a malware campaign that installs its payload as “a Windows application after delivery via a browser ad service and bypasses User Account Control (UAC).” Once installed, this malware, dubbed Infostealer, works to take sensitive information such as credentials stored in the browser or cryptocurrency from an infected device. Furthermore, Infostealer also prevents browser updates and allows for command execution on a device which enables a multitude of other security concerns, including persistence on a device if Infostealer is eventually removed.
Once on this site, all a user needed to do was click the install button, and a Windows application with the malware would download and could be installed. The only thing that may raise some flags in this process is the name of the application file and the requirement to have the “Sideload apps” setting enabled, as this program did not come from the Microsoft Store. Otherwise, this software would be installed and run, allowing the malware to kick off its malicious process.
Thankfully, it appears that the malware is no longer being served at the discovered locations, but that does not mean it is gone necessarily. To help protect against this malware, people need to be keenly aware of what links they click and files they download. Moreover, programs requesting extra permissions than what is default is generally a red flag unless you know precisely what is happening. With these precautions, hopefully, Infostealer will become less effective and less prevalent.