Zerosecurity
  • Home
  • Security
    • Exploits
    • Mobile Security
  • Malware
  • Data Breaches
  • Crypto
  • Privacy
  • Downloads
    • Malwarebytes
    • Exploits
    • Paper Downloads
    • Software & Service Reviews
No Result
View All Result
SUBSCRIBE
Zerosecurity
  • Home
  • Security
    • Exploits
    • Mobile Security
  • Malware
  • Data Breaches
  • Crypto
  • Privacy
  • Downloads
    • Malwarebytes
    • Exploits
    • Paper Downloads
    • Software & Service Reviews
No Result
View All Result
Zerosecurity
No Result
View All Result
Home Malware

ChromeLoader Attacking Chrome Browsers Worldwide – How to Protect Yourself

Paul Anderson by Paul Anderson
May 30, 2022 - Updated on May 31, 2022
in Malware
0
82
SHARES
1.3k
VIEWS
Share on FacebookShare on Twitter

An attack campaign is underway spreading the notorious ChromeLoader malware hijacking Chrome browsers worldwide.

You might also like

BlueSky Ransomware Infects KMSAuto Activator users

Syslogk Linux Rootkit triggers with magic packets

BlackCat Ransomware aka “ALPHV” infections on the rise

Aedan Russell, a security researcher from Red Canary, is reporting a sudden, unexpected rise in browser hijacking campaigns using the ChromeLoader malware. The attacker’s purpose is to hijack browsers via the “pervasive and persistent” malware that will modify an unsuspecting user’s browser settings which will redirect them to websites containing advertisements.

This new malware campaign, or as some experts like to refer to it as malvertising, is financially motivated as the adversaries are redirecting users to their own affiliate ads that can earn them money based on per view, install of software, or click of an ad.

What is the Malware ChromeLoader?

ChromeLoader is malware that is installed as a Chrome browser extension. The malware is normally disturbed with an ISO file extension through fraudulent social media posts containing QR codes, pirated movies, fake giveaways, or cracked video games.

Chrome Loader Malware social media
Screenshot provided by the researchers shows a scannable malicious QR code that leads to a site offering ChromeLoader.

ChromeLoader modifies the infected’s browser settings to display advertisements that lure users to download pay-per-install software, visit dating sites, or adult game sites, and participate in fake surveys. This malware stands out from other malicious browser extensions due to its unforgiving persistence, infection methods, and its unique use of PowerShell.

Attack Rundown

Red Canary’s blog post states that the attackers are using the ISO disk image file to carry the malware and invade systems. This ISO file is promoted as a cracked executable for paid software or a video game that the victim will download from file-sharing or torrent sites. The malware operators have also been seen using Twitter to spread the virus.

When the file is double-clicked on a Windows 10 system or later, it is mounted as a virtual drive. The virtual drive normally contains some sort of keygen or software crack titled “CS_Installer.exe”; this executable is what launches the malware.

When ChromeLoader is launched it executes and decodes a PowerShell script that downloads a file from a remote server. The PowerShell script executes the downloaded payload on the infected system discreetly loading it onto Chrome as a Chrome extension which hijacks and manipulates the browser’s results.

ChromeLoader's PowerShell script
ChromeLoader’s PowerShell script that executes upon running the executable in the ISO file

The Red Canary research teams also identified that the creators of ChromeLoader have also integrated support for macOS systems. Instead of using an ISO as a carrier, the attackers use a DMG (Apple Disk Image) file instead of an ISO.

Within the DMG file, the executables are replaced with bash scripts that download, decompress and install the malware extension to the private/var/tmp/ directory.

How to Protect yourself from ChromeLoader?

ChromeLoader is mainly distributed via social media and fake cracked software. So we suggest staying away from pirated software and installing a decent antivirus. If you’re infected by ChromeLoader or would like to protect yourself from similar threats, download and install Malwarebytes. Malwarebytes comes in both a free and paid version but both are highly effective at removing threats.

Source: RedCanary
Tags: Google Chromemalwarepowershell
Share34Tweet20
Paul Anderson

Paul Anderson

Editor and chief at ZeroSecurity. Expertise includes programming, malware analysis, and penetration testing. If you would like to write for ZeroSecurity, please click "Contact us" at the top of the page.

Recommended For You

BlueSky Ransomware Infects KMSAuto Activator users

by Kyle
July 20, 2022 - Updated on July 22, 2022
0
BlueSky Ransomware backdoors KMSAuto activator

A financially motivated threat actor has been discovered spreading a new ransomware strain, dubbed BlueSky. The group is believed to be connected to the Conti ransomware group. CloudSEK's...

Read more

Syslogk Linux Rootkit triggers with magic packets

by Christi Rogalski
June 19, 2022 - Updated on June 20, 2022
0
Syslogk Linux Rootkit triggers with magic packets

Avast researchers have spotted a Linux rootkit that has the ability to hide malicious processes. The new Linux rootkit, called Syslogk, works by using magic packets to activate...

Read more

BlackCat Ransomware aka “ALPHV” infections on the rise

by Kyle
June 16, 2022 - Updated on July 20, 2022
0
BlackCat Ransomware aka “ALPHV” infections on the rise

As the ransomware-as-a-service (RaaS) industry grows, more ransomware players come into the mix. BlackCat, also known as ALPHV, is a growing ransomware threat with the ability to target...

Read more

State-sponsored Iranian Hackers utilize .NET DNS Backdoor in new Attack

by Kyle
June 12, 2022
0
Lycaeum APT DNS hijacking backdoor

An Advanced Persistent Threat (APT) hacking group based out of Iran going by the name Lycaeum has been seen using a .NET-based DNS backdoor to target organizations within...

Read more

Emotet Banking Trojan Re-Emerges After Take Down by Law Enforcement

by Paul Anderson
June 10, 2022
0
Emotet Banking Trojan 2022

Botnet Emotet has re-emerged after being taken down by a multinational joint task force operation in January 2021. The developers behind Emotet have been given credit as one...

Read more
Next Post
Microsoft Office zero-day exploit CVE-2022-30190

Microsoft Office Zero-day "Follina" Allows Attackers to Execute PowerShell Scripts

Related News

BlueSky Ransomware backdoors KMSAuto activator

BlueSky Ransomware Infects KMSAuto Activator users

July 20, 2022 - Updated on July 22, 2022
BlackCat Ransomware aka “ALPHV” infections on the rise

BlackCat Ransomware aka “ALPHV” infections on the rise

June 16, 2022 - Updated on July 20, 2022
GIFs in messaging apps are tracking you

GIFs in messaging apps are tracking you

July 19, 2022
Zerosecurity

We cover the latest in Information Security & Blockchain news, as well as threat trends targeting both sectors.

Categories

  • Crypto
  • Data Breaches
  • DotNet Framework
  • Downloads
  • Exploits
  • Exploits
  • Information
  • Legal
  • Malware
  • Malware Analysis
  • Mobile Security
  • Paper Downloads
  • Piracy
  • Privacy
  • Programming
  • Public
  • Security
  • Security
  • Software & Service Reviews
  • Technology News
  • Tools
  • Tutorials
  • Video Tutorials
  • Whitepapers
  • Zero Security
  • Contact Us
  • List of our Writers

© 2022 ZeroSecurity, All Rights Reserved.

No Result
View All Result
  • Home
  • Security
  • Exploits
  • Data Breaches
  • Malware
  • Privacy
  • Mobile Security
  • Tools
  • Contact Us
  • Privacy Policy

© 2022 ZeroSecurity, All Rights Reserved.