My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets


Back to the news list

Cybercriminals spread dangerous backdoor as Google Chrome update

March 25, 2020

Doctor Web virus analysts report that certain websites, from online news blogs to corporate pages created using WordPress CMS, have been compromised. The JavaScript script embedded in the hacked pages code redirects visitors to a phishing site where they are prompted to install an important security update for the Chrome browser. The downloadable file is a malware installer that allows attackers to remotely access and control the infected computers. Over 2000 people have downloaded the fake update so far.

According to the Doctor Web virus laboratory, the hacker group behind this attack was previously involved in spreading a fake installer of the popular VSDC video editor through its official website and the CNET software platform. This time the cybercrooks managed to gain administrative access to several websites that began to be used in the infection chain. They embedded a malicious JavaScript code inside the compromised pages that redirects users to a phishing site, which is presented as legitimate Google service.


Target selection is based on geolocation and browser detection. The target audience are users from the USA, Canada, Australia, Great Britain, Israel and Turkey, using the Google Chrome browser. It is worth noting that the downloaded file has a valid digital signature identical to the signature of the fake NordVPN installer distributed by the same criminal group.

The infection mechanism is implemented as follows. Upon launching the installer, it creates a folder in the %userappdata% directory that contains files for the TeamViewer remote control application and unpacks two password-protected SFX archives. One archive contains two components: a malicious msi.dll library, which allows one to establish an unauthorised connection to an infected computer and a batch file for launching the Chrome browser with Google[.]com start page. The second archive carries a script for bypassing Microsoft Windows’s built-in anti-virus protection. The msi.dll library is loaded into the RAM memory by the TeamViewer process, simultaneously hiding its activity from the user.

Using the backdoor, the attackers are able to deliver payload modules with malware to infected devices, such as:

  • The X-Key Keylogger,
  • The Predator The Thief stealer, and
  • A trojan for remote control over the RDP protocol.

All mentioned malware is successfully detected and removed by Dr.Web and does not pose a threat to our customers. The phishing page with malicious content has been added to the Dr.Web database of dangerous and non-recommended websites.

Indicators of compromise

Tell us what you think

To ask Doctor Web’s site administration about a news item, enter @admin at the beginning of your comment. If your question is for the author of one of the comments, put @ before their names.

Other comments