New threat downgrades web browser security
Another threat group using an Android exploit kit, and a backdoor that targets both Android and Windows users, could easily slip under your reading radar. After all, there are just so many vulnerability and cyber attack warnings dropping week after week that it can become somewhat overwhelming. You would be advised not to ignore this report from researchers at Trend Micro, though, because the malware in question uses a novel tactic to ensure it can compromise your device: it “downdates” your web browser to an older version that isn’t protected from attack. Here’s what you need to know.
ForbesMacOS Passwords Alert—New Malware Targets Keychain, Chrome, Brave, OperaBy Davey Winder
Trend Micro Researchers Uncover New Moonshine And DarkNimbus Threat Campaign That Can Downgrade Web Browser Security
In a Dec. 5 analysis published by Trend Micro, threat researchers Joseph C Chen and Daniel Lunghi detailed how a group of threat actors known as Earth Minotaur have been using the Moonshine exploit kit in combination with the DarkNimbus backdoor to target Android and Windows users. Moonshine specifically targets vulnerabilities in instant messaging apps running on Android, while the DarkNimbus backdoor has both Android and Windows versions. Although the primary target of the 2024 campaign, employing at least 55 servers, appears to be the Tibetan and Uyghur communities, the threat could emerge as one used to attack a broader demographic. Although, as a cybersecurity analyst myself, the technical aspects of the exploit kit and backdoor in this campaign are interesting, what really caught my attention was one simple fact: the exploit kit checks to see if your browser is vulnerable to the attack before executing it and if not then attempts to downgrade you to an older version that is.
ForbesGmail Takeover Hack Attack—Google Says You Have 7 Days To ActBy Davey Winder
How Attackers Downdate Your Web Browser Security Protections
I’m not going to go into all the details of this campaign, although it is well worth a read, and I heartily recommend you read the Trend Micro report. Instead, I want to focus just on the browser downdate aspect of the exploit kit. Moonshine, like most exploit kits of this type, looks for known vulnerabilities it can exploit. In this case, it is looking for multiple known vulnerabilities that exist in Chromium-based web browsers such as Chrome, Edge and so on. Or rather, I should say, existed. The past tense is appropriate because if you’ve been paying attention, you’ll know how important it is to update your web browser regularly. These security updates are automatic but do require the user to restart the browser, which means closing your extensive row of tabs for the update to activate successfully.
The Trend Micro researchers, however, said that they found the exploit kit “supports an interesting phishing technique meant to downgrade an app’s browser engine,” when it detects the browser isn’t vulnerable to the exploits it is looking for. In this case, the exploit kit doesn’t deliver the exploit code, but instead, “the server returns a phishing page informing the victim that the version of browser engine used in the app is outdated and needs to be upgraded with a provided download link,” the researchers said. You should have guessed by now that it leads to no such thing, instead it’s a browser engine that is older and does contain the security vulnerabilities required. Once downloaded, the Moonshine exploit kit re-launches the browser attack again.
ForbesNew Windows Warning As Zero-Day With No Official Fix Confirmed For All UsersBy Davey Winder
I have reached out to Google and Microsoft for a statement.
To mitigate against this type of attack, the Trend Micro researchers recommended people regularly update applications, including web browsers, to the latest versions, as well as avoiding clicking on dubious links.
