NEWS Backdoor spreads as a fake Chrome update

According to researchers, this campaign is backed by the same hack group that was previously involved in distributing the fake installer of the popular VSDC video editor, both through the program’s official website and through third-party directories. This time, hackers managed to gain administrative access to the CMS of a number of sites that began to be used in the infection chain. A script is injected into the codes of pages of compromised resources that redirects users to a phishing page disguised as an official Google resource.

The selection of users is based on geolocation and the definition of the user’s browser. Target audience - visitors from the USA, Canada, Australia, UK, Israel and Turkey, using the Google Chrome browser. It is worth noting that the downloaded file has a valid digital signature similar to the signature of the fake NordVPN installer distributed by the same criminal group.

Using this backdoor, attackers are able to deliver payloads to infected devices in the form of other malicious applications. Among them have already been noticed:

• Keylogger X-Key Keylogger,
• Infostiller Predator The Thief,
• Trojan for remote control via RDP.