The spread of the ChromeLoader malware (opens in a new tab) has increased in recent months, turning a relative nuisance into a threat in its own right.
Red Canary researchers have been tracking the malware for the past five months and say the threat has increased significantly.
According to the research, the attackers target both Windows and macOS users, distributing the malware via torrent files posing as cracks for software and games.
They also use social media sites, such as Twitter, to promote torrent links, sharing QR codes leading to sites that host the malware.
ChromeLoader Malware
The goal is for the victims to download the files themselves. For Windows targets, the files come in an .ISO archive which, when mounted with a virtual CD-ROM drive, displays an executive file masquerading as a crack or keygen. Researchers say its most likely file name is “CS_Installer.exe”.
Once the victim executes the file, they execute and decode a PowerShell command that extracts an archive from the server and loads it as an extension for the Google Chrome browser. (opens in a new tab). After that, PowerShell deletes the scheduled task, leaving no trace of its presence.
The methodology for macOS is somewhat different; instead of an ISO, attackers use DMG files, which are more common on the platform. It also replaces the installer executable with an installer bash script that downloads and unpacks the extension to “private/var/tmp”.
ChromeLoader is described as a browser hijacker that can modify browser settings on the target endpoint (opens in a new tab), which allows it to display modified search results. By showing fake freebies, dating sites or unwanted third party software, threat actors earn commission in affiliate programs.
What sets ChromeLoader apart in a sea of similar browser hijackers is its persistence, volume and route of infection, the researchers said.
Comments are closed.