I. Targeted Entities
- Internet users
II. Introduction
LandUpdate808 is a malicious downloader that distributes malicious payloads disguised as fake browser updates. The downloader is usually hosted on malicious or compromised websites. LandUpdate808 was identified by the Center for Internet Security as a top ten observed malware in quarter three of 2024, landing as the second most prominent identified malware.
III. Additional Background Information
LandUpdate808 redirects website visitors to first download the loader for the fake update content. The redirect also adds a cookie to the targeted user which has been observed with the naming conventions “isDone” or “isVisited11”. The cookie’s value is set to true after the operation is successful. The cookie has an expiration date of four days and will cause the malware to skip over the previous steps if the cookie is detected. The fake update page is disguised as an out-of-date Chrome notification with a blue download button labeled “Update Chrome”. When clicked, the button will link to an “update.php” file. The payload has been observed as a JS, EXE, and MSIX file that changes file type frequently. Recent reporting has identified multiple domains being tied to the same IP address, a potential indicator that the LandUpdate808 operation is expanding operations.
IV. MITRE ATT&CK
- T1592 – Gather Victim Host Information
- Using the function getOS located in the request for the page loader, LandUpdate808 gathers basic host information such as IP address and operating system.
- T1584 – Compromise Infrastructure
- LandUpdate808 uses compromised domains as part of the malware’s delivery chain.
- T1608 – Stage Capabilities
- LandUpdate808 stages web resources that act as link targets in the delivery chain.
- T1204 – User Execution
- LandUpdate808 relies on the user to click on the fake Chrome update to download and execute the desired payload onto the system.
V. Recommendations
We recommend monitoring your network for the following indicators of compromise to identify if users have been potentially compromised by LandUpdate808 and the related payloads.
VI. IOCs (Indicators of Compromise)
| Type | Indicator |
|---|---|
| Domains – Malicious Payloads |
netzwerkreklame[.]de |
| Domains – Malicious Payloads |
digimind[.]nl |
| Domains – Malicious Payloads |
monlamdesigns[.]com |
| Domains – Malicious Payloads | sustaincharlotte[.]org |
| Domains – Malicious Payloads | chicklitplus[.]com |
| Domains – Malicious Payloads | espumadesign[.]com |
| Domains – Malicious Payloads | owloween[.]com |
| Domains – Malicious Payloads | Wildwoodpress[.]org |
| Domains – Malicious Payloads | napcis[.]org |
| Domains – Malicious Payloads | sunkissedindecember[.]com |
| Domains – Malicious Payloads | rm-arquisign[.]com |
| Domains – Fake Update Page Code | kongtuke[.]com |
| Domains – Fake Update Page Code | uhsee[.]com |
| Domains – Fake Update Page Code | zoomzle[.]com |
| Domains – Fake Update Page Code | elamoto[.]com |
| Domains – Fake Update Page Code | ashleypuerner[.]com |
| Domains – Fake Update Page Code | edveha[.]com |
| Domains – Initiated Requests for Content | razzball[.]com |
| Domains – Initiated Requests for Content | monitor[.]icef[.]com |
| Domains – Initiated Requests for Content | careers-advice-online[.]com |
| Domains – Initiated Requests for Content | ecowas[.]int |
| Domains – Initiated Requests for Content | sixpoint[.]com |
| Domains – Initiated Requests for Content | eco-bio-systems[.]de |
| Domains – Initiated Requests for Content | evolverangesolutions[.]com |
| Domains – Initiated Requests for Content | natlife[.]de |
| Domains – Initiated Requests for Content | sunkissedindecember[.]com |
| Domains – Initiated Requests for Content | fajardo[.]inter[.]edu |
| Domains – Initiated Requests for Content | fup[.]edu[.]co |
| Domains – Initiated Requests for Content | lauren-nelson[.]com |
| Domains – Initiated Requests for Content | netzwerkreklame[.]de |
| Domains – Initiated Requests for Content | digimind[.]nl |
| Domains – Initiated Requests for Content | itslife[.]in |
| Domains – Initiated Requests for Content | ecohortum[.]com |
| Domains – Initiated Requests for Content | thecreativemom[.]com |
| Domains – Initiated Requests for Content | backalleybikerepair[.]com |
| Domains – Initiated Requests for Content | mocanyc[.]org |
VII. References
Samala, A. (2024b, October 15). New Behavior for LandUpdate808 Observed. Malasada Tech. https://malasada.tech/new-behavior-for-landupdate808-observed/
Samala, A. (2024a, July 2). The LandUpdate808 Fake Update Variant. Malasada Tech. https://malasada.tech/the-landupdate808-fake-update-variant/
Threat Advisory created by The Cyber Florida Security Operations Center. Contributing Security Analysts: Benjamin Price