Experts warn of a new malvertising campaign spreading the ChromeLoader

Researchers warn of a new malvertising campaign spreading the ChromeLoader malware that hijacks the victims’ browsers.

Researchers from Red Canary observed a new malvertising campaign spreading the ChromeLoader malware that hijacks the victims’ browsers.

ChromeLoader is a malicious Chrome browser extension, it is classified as a pervasive browser hijacker that modifies browser settings to redirect user traffic. Threat actors spread the malware via an ISO file masqueraded as a cracked video game or pirated movie or TV show.

“However, ChromeLoader uses PowerShell to inject itself into the browser and add a malicious extension to it, a technique we don’t see very often (and one that often goes undetected by other security tools). If applied to a higher-impact threat—such as a credential harvester or spyware—this PowerShell behavior could help malware gain an initial foothold and go undetected before performing more overtly malicious activity, like exfiltrating data from a user’s browser sessions.” reads the analysis published by the experts.

The malware is able to redirect the user’s traffic and hijacking user search queries to popular search engines, including Google, Yahoo, and Bing. The malicious code is also able to use PowerShell to inject itself into the browser and added the extension to the browser.

Upon running the executable included in the mounted .ISO image file, the ChromeLoader is installed, along with a .NET wrapper for the Windows Task Scheduler used by the threat to achieve the persistence.

“Executing CS_Installer.exe creates persistence through a scheduled task using the Service Host Process (svchost.exe). Notably, ChromeLoader does not call the Windows Task Scheduler (schtasks.exe) to add this scheduled task, as one might expect. Instead, we saw the installer executable load the Task Scheduler COM API, along with a cross-process injection into svchost.exe (which is used to launch ChromeLoader’s scheduled task).” continues the analysis.

In April, the researcher Colin Cowie also published an analysis of the macOS version of ChromeLoader, the malicious code is able to install malicious extensions into both the Chrome and Safari web browsers.

The report published by the experts includes the following detection opportunities for this threat:

• Detection opportunity 1: PowerShell containing a shortened version of the encodedCommand flag in its command line;
• Detection opportunity 2: PowerShell spawning chrome.exe containing load-extension and AppData\Local within the command line;
• Detection opportunity 3: Shell process spawning process loading a Chrome extension within the command line;
• Detection opportunity 4: Redirected Base64 encoded commands into a shell process

Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.

Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)

To nominate, please visit: 

https://docs.google.com/forms/d/e/1FAIpQLSdNDzjvToMSq36YkIHQWwhma90SR0E9rLndflZ3Cu_gVI2Axw/viewform

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, chromeloader)

[adrotate banner=”5″]

[adrotate banner=”13″]