IT giants warn of ongoing Chromeloader malware campaigns

VMware and Microsoft are warning of a widespread Chromeloader malware campaign that distributes several malware families.

ChromeLoader is a malicious Chrome browser extension, it is classified as a pervasive browser hijacker that modifies browser settings to redirect user traffic.

The malware is able to redirect the user’s traffic and hijacking user search queries to popular search engines, including Google, Yahoo, and Bing. The malicious code is also able to use PowerShell to inject itself into the browser and added the extension to the browser.

In May, researchers from Red Canary observed a malvertising campaign spreading the ChromeLoader malware that hijacks the victims’ browsers.

This week, VMware and Microsoft warned of an ongoing, widespread Chromeloader malware campaign that is dropping malicious browser extensions, node-WebKit malware, and ransomware.

Microsoft spotted an ongoing widespread click fraud campaign, the IT giant attributes the campaign to a threat actor tracked as DEV-0796. Attackers attempt to monetize clicks generated by a browser node-webkit or malicious browser extension they have secretly installed on victims’ devices.

This attack chain starts with an ISO file that’s downloaded when a user clicks malicious ads or YouTube comments. Upon opening the ISO file, a browser node-webkit (NW.js) or a browser extension is installed. Experts also observed threat actors using DMG files in order to target also macOS systems.

VMware published a report that provides technical details about multiple Chromeloader variants that the company observed since August.

“While thought to be just a credential stealing browser hijacker, ChromeLoader has been seen in its newest variants to be delivering more malicious malware and used for other nefarious purposes.” reads the report published by the virtualization giant.

As recently as late August, ChromeLoader has been used to drop ZipBombs onto infected systems, the malware was used to destroy the user’s system by overloading it with data.

Experts also observed the use of ChromeLoader to download the Enigma Ransomware which is distributed in HTML attachments found in the ISO archive.  Upon opening the attachment, it will launch the default browser, execute its embedded javascript, and then follow its standard chain.  

Other notable variants are a fake version of OpenSubtitles, which is a legitimate program that helps users find subtitles for popular movies and TV shows, and a fake version of Flbmusic.exe which is a legitimate program for cross-platform music playing. 

“It’s no surprise that this pesky adware has been one of our most frequent attacks.  This campaign has gone through many changes over the past few months, and we don’t expect it to stop.” concludes VMware. “As we’ve seen in previous Chromeloader infections, this campaign widely leverages powershell.exe and is likely to lead to more sophisticated attacks.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]