Aimed at Google Chrome users in the Netherlands today, the Betaling Google Chrome exploit is so well crafted, it’s inevitable it will spread and could show up on your computer too. So let’s see how it works…
First off, a quick translation: “betaling” means “payment” in Dutch, so when an app with the name “Betaling – Google Chrome.exe” shows up on the desktop of a Windows user, it’s not entirely unreasonable that they would click on it, thinking that it might be a secure version of Google Chrome that they’ve somehow downloaded. That’s a plus, right? A more secure version of the popular Web browser.
Once you launch it, though, the program pops up an error message telling you that your version of the .NET framework is out of date and that you need to upgrade it. Again, seems reasonable on the surface, because if you are getting a brand new browser, you surely need a brand new version of the .NET framework that underlies the entire Microsoft Windows system. Indeed, it’s exactly that plausibility that makes this such a dangerous malware program.
Let’s have a bit of show and tell, courtesy of images from MalwareHunter and BleepingComputer. First off, click and launch the malware and here’s what pops up. Seems quite plausible:
Now savvy Windows users will look at this window and frown: The latest version of the .NET framework is actually 4.6.2, according to Microsoft itself. But seriously, who checks?
Instead, you click on “OK” like 99.9% of other users and the “browser” pops up with a secure URL shown and this smack dab in the middle of the screen:
Looks completely legit, doesn’t it? And € 0.50 = $0.53 so it might be a bit weird to pay a tiny amount to get the necessary upgrade but, hey, it’s $0.53, why not just enter the data and proceed?
In fact, the input is validated by the program, and an error message can pop up if you enter the wrong data:
That translates roughly into “unfortunately your details are not properly filled in, please try again.” SO you do. And you enter a valid credit card. And they’ve just charged you not for $0.53 (or € 0.50) but $250 or $500 or more, or even just saved your credit card data to sell on the darknet for a tidy sum.
Not good. At all.
So be smart, whether you see this exact prompt or something similar: Don’t accept downloads from unknown sources, don’t click on files that “just appear” on your desktop and never, ever enter your payment information to a page or program that seems even the tiniest bit suspect.
Thanks to MalwareHunter and BleepingComputer for the helpful images.