How Cybercriminals Use Web Injects to Deliver Malware: A Deep Dive into TA2726 & TA2727
Overview
Recent campaigns by cybercriminal groups TA2726 and TA2727 highlight the growing use of web injects to distribute malware across Windows, macOS, and Android devices. These attacks rely on compromised websites, social engineering, and OS-specific payloads to steal sensitive data.
Key findings:
Attackers compromise websites to inject malicious JavaScript.
Traffic Distribution Systems (TDS) filter victims based on their OS and location.
Fake browser update pages trick users into downloading malware.
New macOS malware, FrigidStealer, is being used alongside Windows and Android threats.
Data is exfiltrated to command-and-control (C2) servers while persistence mechanisms ensure long-term access.
This blog breaks down the full attack path into six clear steps. But first, here’s a quick visual summary:
A Deep Dive into TA2726 & TA2727
Step 1: Website Compromise and JavaScript Injection
Threat actors first compromise legitimate websites and inject malicious JavaScript to modify how they display content to visitors.
Common methods include:
Exploiting vulnerabilities in WordPress, Joomla, or other CMS platforms.
Injecting JavaScript through third-party plugins or libraries.
Using Traffic Distribution Systems (TDS) to selectively redirect visitors.
Once injected, this JavaScript dynamically redirects users based on their operating system and region.
Step 2: Traffic Redirection and Filtering
When a user visits the compromised website, the injected JavaScript checks their system details. A TDS then determines which payload to serve based on factors like:
Operating system (Windows, macOS, Android)
Geolocation (North America, Europe, etc.)
User agent (Browser type and version)
This filtering ensures that only relevant targets receive the malicious payload.
Users in North America are often redirected to campaigns linked to TA569, which distributes SocGholish fake updates.
Users elsewhere may receive malware directly from TA2727, including Lumma Stealer (Windows), FrigidStealer (macOS), and Marcher (Android).
Step 3: Fake Browser Update Social Engineering
Once redirected, users land on a fake browser update page. This page mimics Chrome, Safari, or Edge update prompts and instructs users to download what appears to be a legitimate update.
Key techniques:
JavaScript-based loaders trigger malware downloads.
macOS users are prompted to bypass Gatekeeper by manually opening the file.
Windows users receive MSI files that bundle legitimate software with malicious DLLs.
These methods convince users to install malware without triggering security alerts.
Step 4: Malware Installation and Execution
Depending on the victim’s OS, different malware payloads are deployed:
Windows: Lumma Stealer via DLL Sideloading
The victim downloads an MSI file disguised as a browser update.
The MSI installs a legitimate application, such as Rene.E Facebook Widget.
A trojanized DLL is placed alongside the application.
When the app runs, the DLL sideloads DOILoader, which decrypts and executes Lumma Stealer.
Lumma Stealer collects credentials, cookies, and cryptocurrency wallets.
macOS: FrigidStealer via DMG File
The victim downloads a DMG file named after a Safari or Chrome update.
The file is self-signed and built using WailsIO to appear legitimate.
When opened, the app prompts the user for their macOS password using AppleScript.
FrigidStealer extracts saved passwords, cookies, and Apple Notes.
Data is sent to askforupdate[.]org.
Android: Marcher Banking Trojan
The user downloads a malicious APK disguised as a browser update.
The app requests Accessibility Service permissions to gain control.
Marcher overlays banking apps, intercepts SMS-based 2FA codes, and steals credentials.
Each version of the malware is tailored to maximize infection success on its respective platform.
Step 5: Data Exfiltration to Command and Control Servers
Once the malware is installed, it begins transmitting stolen data to attacker-controlled servers.
Lumma Stealer, FrigidStealer, and Marcher use encrypted channels to evade detection.
C2 servers rotate frequently, using fast-flux hosting to avoid takedowns.
Data typically includes credentials, cookies, banking details, and cryptocurrency wallets.
The use of legitimate cloud storage services further complicates detection.
Step 6: Persistence Mechanisms
To maintain long-term access, the malware employs various persistence techniques:
Windows:
Modifies registry keys under HKCU\Software\Microsoft\Windows\CurrentVersion\Run.
Creates scheduled tasks to re-run malware on login.
macOS:
Installs LaunchAgents (~/Library/LaunchAgents/) to execute malware on startup.
Adds itself to Login Items for automatic execution.
Android:
Abuses Accessibility Services to prevent uninstallation.
Gains Device Admin Privileges to ensure persistence across reboots.
These methods make manual removal difficult without specialized tools.
Threat Actor Analysis
TA2726: Traffic Broker
Operates a Traffic Distribution System (TDS) to filter victims.
Redirects traffic to TA569 and TA2727 campaigns.
Uses Keitaro TDS and rotating domain infrastructure.
TA2727: Malware Distributor
Deploys fake browser update lures.
Distributes Lumma Stealer, FrigidStealer, and Marcher.
Uses domains like fastcloudcdn[.]com to serve malware.
Both actors work together to scale infections across multiple regions and operating systems.
Conclusion
The increasing complexity of web inject-based malware campaigns makes detection and prevention more challenging. TA2726 and TA2727 demonstrate how attackers leverage website compromises, traffic filtering, and social engineering to target Windows, macOS, and Android users.
The emergence of FrigidStealer highlights the growing focus on macOS as a target. Organizations must adopt multi-layered defenses to mitigate these threats.
Sources
Proofpoint. (2024, February 15). Update on fake updates: Two new actors and new Mac malware. Proofpoint Threat Insight. https://www.proofpoint.com/us/blog/threat-insight/update-fake-updates-two-new-actors-and-new-mac-malware