A new malvertising campaign has emerged in which ChromeLoader malware is being used to hijack browsers and steal data.
A sudden, unexpected spike in browser hijacking campaigns utilizing ChromeLoader malware has been detected lately, stated Aedan Russell from Red Canary. Russell noted that the attackers aim to hijack browsers through the “pervasive and persistent” ChromeLoader malware that can modify browser settings and redirect the victim to advertisement sites.
The malvertising campaign is financially motivated as the attackers are part of a wider network of marketing affiliates and redirect the user to advertising sites.
What is ChromeLoader?
For your information, ChromeLoader is a Chrome browser extension distributed as ISO files through pay-per-install websites and fraudulent social media posts usually offering QR codes, pirated movies, or cracked video games.
ChromeLoader changes web browser settings to display search results that lure users to download unwanted software, visit dating sites or adult games platforms, and participate in fake surveys. It stands apart among other browser hijackers for its incredible persistence, infection route, and volume involving abuse of PowerShell.
Attack Scenario
According to Red Canary’s blog post, the malware operators use a malicious ISO archive file to invade the system. This file is promoted as a cracked executable for commercial software or a video game so that the victims can download it from malicious sites or torrents. Malware operators also use Twitter posts to promote the malicious executable.
When the file is double-clicked by a user in Windows 10 or later systems, it is mounted as a virtual CD-ROM drive. Although it appears to be a keygen or game crack titled CS_Installer.exe, the executable in this ISO file actually unleashes the malware.
ChromeLoader then executes/decodes a PowerShell command to fetch an archive from the remote resource and gets loaded on the system as a Chrome extension. Afterward, the PowerShell removes the scheduled task and infects Chrome with a discreetly injected extension to hijack and manipulate the browser results.
Red Canary researchers identified that ChromeLoader operators also target macOS systems to manipulate Safari web browser and Chrome. The infection chain is similar on macOS, but attackers use DMG (Apple Disk Image) file instead of ISO.
Furthermore, instead of the executable containing the installer, in macOS, an installer bash script is used to download and decompress the malware extension onto the private/var/tmp directory.
More Chrome Browser and Malware News
- New Jupyter backdoor malware steals Chrome, Firefox data
- New variant of MassLogger Trojan stealing Chrome, Outlook data
- Chrome extensions with 80 million+ users found engaging in ad fraud
- Malicious Chrome, Edge extensions manipulating Google search results
- Malware infected browser extensions stealing Chrome, and Edge user data
