ChromeLoader is evolving to become a significant threat by delivering malware that are not reliant on only malvertising. Microsoft and VMware warned against a new ChromeLoader campaign that has been propagating multiple malware.

Diving into details

  • VMware observed ChromeLoader variants dropping ransomware on Macs and Windows PCs.
  • This followed soon after Microsoft’s warning against a click-fraud campaign, conducted by DEV-0796, which is probably spreading ChromeLoader variants.
  • The multi-stage malware hijacks the browser and redirects targets to advertising sites, for the threat actors to generate revenue from ad clicks and views. 
  • Furthermore, the malware is customizable, allowing additional functionalities that can be downloaded separately or included in the image file.

Why this matters

  • VMware tracked at least 10 strains of ChromeLoader, some of which impersonate legitimate programs such as FLB Music and OpenSubtitles.
  • Other versions can potentially deploy more damaging payloads. 
  • Moreover, the use of ISO files is increasing, which can be attributed to Microsoft blocking Office macros by default.

The bottom line

Researchers conclude that due to ChromeLoader’s frequent use in recent attacks, its propagation will not stop. Due to its functionalities and the campaign features, it is anticipated that the malware will be used in more sophisticated attacks in the future.
Cyware Publisher