ChromeLoader Malware Evolves into a Widespread and More Dangerous Cyber ​​Threat

Security researchers are sounding the alarm over the malicious tool named ChromeLoader. It first emerged in January as a consumer-focused, browser-hijacking credential stealer, but has now become a widespread and multifaceted threat to organizations across multiple industries.

In a notice published on September 19, researchers from VMware’s Carbon Black-managed detection and response team said they had recently observed that the malware was also used to drop ransomware, steal sensitive data and deploy bombs. say unzip (or zip) to crash the systems. .

Researchers said they observed hundreds of attacks involving newer versions of the malware targeting companies in business services, education, government, healthcare and several other sectors.

“This campaign has undergone many changes over the past few months, and we don’t expect it to end“, warned the researchers. “It is imperative that these industries take note of the prevalence of this [threat] and get ready to answer it.”

Ongoing and widespread campaign

VMware’s warning echoed one from the Microsoft Security Intelligence team on Friday regarding a threat actor they are tracking as DEV-0796, who is using ChromeLoader in a massive ongoing click fraud campaign. In a series of tweets, the researchers said the cyberattackers were attempt to monetize clicks generated by a browser extension or browser node webkit that ChromeLoader had secretly downloaded to many user devices.

“This campaign starts with an .ISO file that is downloaded when a user clicks on malicious ads or YouTube comments,” according to Microsoft’s analysis. When opened, the .ISO file installs the aforementioned Browser Node Kit (NW.js) or a browser extension.

“We also found usage of DMG files, indicating cross-platform activity,” the Microsoft researchers added.

ChromeLoader (aka ChromeBack or Choziosi Loader) drew attention in January when researchers observed malware operators using it to drop a malicious browser extension as a payload on users’ systems. The malware targeted users who visited sites touting pirated video games and pirated torrents.

Researchers from the Palo Alto Networks Unit 42 Threat Hunting Team describes the infection vector like starting with a user scanning a QR code on these sites with the intention of downloading pirated content. The QR code redirected the user to a compromised website, where they were tricked into downloading an .ISO image claiming to be the hacked file, which contained an installation file and several other hidden ones.

When users launched the installer file, they received a message that the download failed – while in the background, a PowerShell script in the malware downloaded a malicious Chrome extension to the user’s browser , the Unit 42 researchers found.

Rapid evolution

Since arriving on the scene earlier this year, the malware authors have released several versions, many of which are equipped with different malicious capabilities. One of them is a variant called Bloom.exe which first appeared in March and has since infected at least 50 VMware Carbon Black customers. VMware researchers said they observed that the malware was used to exfiltrate sensitive data from infected systems.

Another variant of ChromeLoader is used to drop zip bombs on users’ systems, i.e. malicious archive files. Users who click on the militarized compression files end up launching malware that overloads their data systems and crashes them. And since August, operators of the aptly named CrashLoader variant have been using the malware to distribute a ransomware family called Enigma.

ChromeLoader Updated Malicious Tactics

Along with payloads, tactics to trick users into downloading ChromeLoader have also evolved. For example, VMware Carbon Black researchers said they saw the malware author impersonating various legitimate services to direct users to ChromeLoader.

A service they passed off as OpenSubtitles, a site designed to help users find subtitles for popular TV shows and movies, VMware said in its report. Another is FLB Music Play, a site for playing music.

“The spoofed software is used in conjunction with an adware program that redirects web traffic, steals credentials, and recommends other malicious downloads presented as legitimate updates,” VMware said.

Often, consumers are the primary targets of malware such as ChromeLoader. But with many employees now working from home and often using their personal devices to access corporate data and apps, businesses can be affected as well. VMware’s Carbon Black team, like Microsoft’s security researchers, said they believe the current campaign is just a harbinger of new attacks involving ChromeLoader.

“The Carbon Black MDR Team believes this is an emerging threat that should be monitored and taken seriously,” VMware said in its advisory, “due to its potential to deliver more harmful malware” .

Comments are closed.