OLV Basiliek Zwolle

Main Menu

  • Home
  • Browser list
  • Browser software
  • Browser types
  • Browser news

OLV Basiliek Zwolle

Header Banner

OLV Basiliek Zwolle

  • Home
  • Browser list
  • Browser software
  • Browser types
  • Browser news
Browser software
Home›Browser software›ChromeLoader browser malware spreads via pirated games and QR codes

ChromeLoader browser malware spreads via pirated games and QR codes

By Ronnie A. Huntsman
May 26, 2022
0
0

A new malvertising campaign has emerged in which ChromeLoader malware is used to hijack browsers and steal data.

A sudden and unexpected spike in browser hijacking campaigns using ChromeLoader malware has been detected recently, said Aedan Russell of Red Canary. Russell noted that attackers aim to hijack browsers via the “ubiquitous and persistent” ChromeLoader malware that can modify browser settings and redirect the victim to advertising sites.

The malvertising campaign is financially motivated as the attackers are part of a larger affiliate marketing network and redirect the user to advertising sites.

What is ChromeLoader?

For your information, ChromeLoader is a Chrome browser extension distributed as ISO files via pay-to-install websites and scam social media posts that usually offer QR codes, pirated movies or pirated video games.

A screenshot of a Tweet shared by researchers shows a redacted malicious scannable QR code that leads to the ChromeLoader download site

ChromeLoader modifies web browser settings to display search results that trick users into downloading unwanted software, visiting dating sites or adult gaming platforms, and participating in fake surveys. It is distinguished from other browser hijackers by its incredible persistence, route of infection and volume involving the abuse of PowerShell.

Attack scenario

According to Red Canary’s blog post, malware operators are using a malicious ISO archive file to invade the system. This file is presented as cracked executable for commercial software or video game so that victims can download it from malicious sites or torrents. Malware operators also use Twitter posts to promote the malicious executable.

When a user double-clicks the file in Windows 10 or later systems, it is mounted as a virtual CD-ROM drive. Although it appears to be a game keygen or crack titled CS_Installer.exe, the executable of this ISO file actually releases the malware.

ChromeLoader then executes/decodes a PowerShell command to retrieve an archive from the remote resource and is loaded onto the system as a Chrome extension. Then the PowerShell drops the scheduled task and infects Chrome with a stealth injected extension to hijack and manipulate browser results.

Red Canary researchers have identified that ChromeLoader operators also target macOS systems to manipulate the Safari and Chrome web browser. The infection chain is similar on macOS, but the attackers use the DMG (Apple Disk Image) file instead of the ISO.

Also, instead of the executable containing the installer, on macOS an installer bash script is used to download and unpack the malware extension to the private /var/tmp directory.

More Chrome Browser and Malware News

  1. New Jupyter backdoor malware steals data from Chrome and Firefox
  2. New Variant of MassLogger Trojan Stealing Chrome and Outlook Data
  3. Chrome extensions with over 80 million users implicated in ad fraud
  4. Malicious Chrome, Edge extensions manipulating Google search results
  5. Malware-infected browser extensions stealing Chrome and Edge user data

Categories

  • Browser list
  • Browser news
  • Browser software
  • Browser types

Recent Posts

  • Secret Mode: Huawei Browser vs. Samsung Internet
  • Beagle Button: Could this browser extension help you save money?
  • 7 must-see space websites that will change your perception of the cosmos
  • Browser Games Market Size Research Reports and Industry Analysis | Alien Hominid, Bejeweled, Meat Boy – Indian Defense News
  • Attackers can use “Scroll to Text Fragment” web browser feature to steal data – research

Archives

  • June 2022
  • May 2022
  • April 2022
  • March 2022
  • February 2022
  • January 2022
  • December 2021
  • Privacy Policy
  • Terms and Conditions