ChromeLoader malware threatens Windows and macOS
In the course of May, a rather high prevalence of the ChromeLoader malware was found, which allows its operators to perform browser hijacking operations in order to promote unwanted software, open pages dedicated to surveys and prize competitions, as well as adult games and bogus dating sites. All this with the aim of earning money through affiliation. Among the various hijackers on the network, ChromeLoader stands out for its persistence on systems, for its spread and for the ways of infection that involve intensive use of PowerShell.The Red Canary researchers are tracking this malware as early as February and have identified the main attack vector, which is an archive file in ISO format used by cybercriminals to infect victims' systems. The ISO file was camouflaged as an executable file with crack, for pirated games or commercial software, which was downloaded independently by users through compromised sites or containing lists of torrent files, complete with a promotional campaign on Twitter, where subject Android games were presented. to cracks and QR codes that redirected users to dangerous sites.
Malware often affects web browsers
To get rid of the threat, both Google and Apple have prepared special guides, which can be consulted freely:
ChromeLoader removal guide for Chrome ChromeLoader removal guide for Safari As always, we remind you that downloading pirated materials is illegal, but also very dangerous, since you expose yourself to serious risks, not least the possibility of suffering a ransomware attack.
Experts Warn of Rise in ChromeLoader Malware Hijacking Users' Browsers
A malvertising threat is witnessing a new surge in activity since its emergence earlier this year.
Dubbed ChromeLoader, the malware is a 'pervasive and persistent browser hijacker that modifies its victims' browser settings and redirects user traffic to advertisement websites,' Aedan Russell of Red Canary said in a new report.
ChromeLoader is a rogue Chrome browser extension and is typically distributed in the form of ISO files via pay-per-install sites and baited social media posts that advertise QR codes to cracked video games and pirated movies.
While it primarily functions by hijacking user search queries to Google, Yahoo, and Bing and redirecting traffic to an advertising site, it's also notable for its use of PowerShell to inject itself into the browser and get the extension added.
The malware, also known as Choziosi Loader, was first documented by G DATA earlier this February.
'For now the only purpose is getting revenue via unsolicited advertisements and search engine hijacking,' G DATA's Karsten Hahn said. 'But loaders often do not stick to one payload in the long run and malware authors improve their projects over time.'
Another trick up ChromeLoader's sleeve is its ability to redirect victims from the Chrome extensions page ('chrome://extensions') should they attempt to remove the add-on.
Furthermore, researchers have detected a macOS version of the malware that works against both Chrome and Safari browsers, effectively turning ChromeLoader into a cross-platform threat.
'If applied to a higher-impact threat — such as a credential harvester or spyware — this PowerShell behavior could help malware gain an initial foothold and go undetected before performing more overtly malicious activity, like exfiltrating data from a user's browser sessions,' Russell noted.
Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.