ValleyRAT threat employs Google Chrome drive-by download attack strategy.
Google security has been in the news this week for all the right reasons as researchers uncovered a critical Linux zero-day for Android users and issued a Zen alert for a nasty AMD chip vulnerability. There’s even been great news regarding how Google introduced a critical security update for Gmail users that has had an amazingly positive impact so far. But before you get too excited, and sorry to introduce a downer into the proceedings, security experts are warning about an ongoing threat that targets people looking to download the Google Chrome web browser app. Here’s what you need to know.
What Chrome Users Need To Know About ValleyRAT
Shmuel Uzan from Morphisec Threat Labs has reported how ongoing hack attacks have lead to a “sophisticated, multi-stage malware named ValleyRAT,” and employ a drive-by download strategy to hook victims looking for the Google Chrome web browser app. All you need to know is that a drive-by download is one that the user authorizes without actually knowing the reality of what is being downloaded. To achieve this, Uzan said, it has observed the attackers using “phishing emails, malicious websites, and instant messaging platforms.” In the latest such attack, Uzan noted, the threat actor “created a domain and website designed to impersonate a Chinese telecom company named Karlos,” to deliver the malware app.
Mitigating The Chrome Drive-By Download Risk
Jamie Akhtar, CEO at CyberSmart, said that while the ValleyRAT malware itself is well-established malware, having first been observed back in 2023, what makes these latest attacks notable is the sophistication it appears to have developed in terms of techniques used and targets chosen. “The campaign is explicitly targeted at finance, sales and accounting professionals due to their proximity to sensitive data, rather than the ‘spray and pray’ approach of earlier campaigns,” Akhtar said. Acknowledging that it appears the current campaign is aimed squarely at Chinese users, Akhtar said others should not be apathetic toward the threat. “If there’s one thing for certain about cybercriminals, it’s that someone will copy this approach and apply it to Western companies.” As such, Akhtar concluded, “we urge anyone working in a role processing high-value sensitive data, like sales or accounting, to be extra vigilant when downloading tools like browsers or browser extensions.”
“Downloading software always carries a risk, especially if the individual downloading the software is not confirming that they are downloading from an official site,” Erich Kron, security awareness advocate at KnowBe4, said, “the practice of hosting malicious binaries, then poisoning Google search results through paid ads or other methods, can be quite effective.” Kron warned that with anything as critical as an internet browser, especially Google Chrome which is the most popular browser client on the planet, it’s vitally important to take precautions to ensure it doesn’t come with malicious surprises. “This means making sure that the software is downloaded from the legitimate publisher site and not a third party,” Kron concluded, “care must be taken when choosing your browser and any add-ons.” I have reached out to Google for a statement.