Zerosecurity
  • Home
  • Security
    • Exploits
    • Mobile Security
  • Malware
  • Data Breaches
  • Crypto
  • Privacy
  • Downloads
    • Malwarebytes
    • Exploits
    • Paper Downloads
    • Software & Service Reviews
No Result
View All Result
SUBSCRIBE
Zerosecurity
  • Home
  • Security
    • Exploits
    • Mobile Security
  • Malware
  • Data Breaches
  • Crypto
  • Privacy
  • Downloads
    • Malwarebytes
    • Exploits
    • Paper Downloads
    • Software & Service Reviews
No Result
View All Result
Zerosecurity
No Result
View All Result
Home Malware

ChromeLoader Attacking Chrome Browsers Worldwide – How to Protect Yourself

Paul Anderson by Paul Anderson
May 30, 2022 - Updated on May 31, 2022
in Malware
0
ChromeLoader Malware surge
82
SHARES
1.3k
VIEWS
Share on FacebookShare on Twitter

An attack campaign is underway spreading the notorious ChromeLoader malware hijacking Chrome browsers worldwide.

You might also like

Emotet now utilizing Onenote for its spam campaigns

Netwire RAT seized by FBI and other worldwide police agencies

The Emotet botnet returns and is sending a slew of malicious emails

Aedan Russell, a security researcher from Red Canary, is reporting a sudden, unexpected rise in browser hijacking campaigns using the ChromeLoader malware. The attacker’s purpose is to hijack browsers via the “pervasive and persistent” malware that will modify an unsuspecting user’s browser settings which will redirect them to websites containing advertisements.

This new malware campaign, or as some experts like to refer to it as malvertising, is financially motivated as the adversaries are redirecting users to their own affiliate ads that can earn them money based on per view, install of software, or click of an ad.

What is the Malware ChromeLoader?

ChromeLoader is malware that is installed as a Chrome browser extension. The malware is normally disturbed with an ISO file extension through fraudulent social media posts containing QR codes, pirated movies, fake giveaways, or cracked video games.

Chrome Loader Malware social media
Screenshot provided by the researchers shows a scannable malicious QR code that leads to a site offering ChromeLoader.

ChromeLoader modifies the infected’s browser settings to display advertisements that lure users to download pay-per-install software, visit dating sites, or adult game sites, and participate in fake surveys. This malware stands out from other malicious browser extensions due to its unforgiving persistence, infection methods, and its unique use of PowerShell.

Attack Rundown

Red Canary’s blog post states that the attackers are using the ISO disk image file to carry the malware and invade systems. This ISO file is promoted as a cracked executable for paid software or a video game that the victim will download from file-sharing or torrent sites. The malware operators have also been seen using Twitter to spread the virus.

When the file is double-clicked on a Windows 10 system or later, it is mounted as a virtual drive. The virtual drive normally contains some sort of keygen or software crack titled “CS_Installer.exe”; this executable is what launches the malware.

When ChromeLoader is launched it executes and decodes a PowerShell script that downloads a file from a remote server. The PowerShell script executes the downloaded payload on the infected system discreetly loading it onto Chrome as a Chrome extension which hijacks and manipulates the browser’s results.

ChromeLoader's PowerShell script
ChromeLoader’s PowerShell script that executes upon running the executable in the ISO file

The Red Canary research teams also identified that the creators of ChromeLoader have also integrated support for macOS systems. Instead of using an ISO as a carrier, the attackers use a DMG (Apple Disk Image) file instead of an ISO.

Within the DMG file, the executables are replaced with bash scripts that download, decompress and install the malware extension to the private/var/tmp/ directory.

How to Protect yourself from ChromeLoader?

ChromeLoader is mainly distributed via social media and fake cracked software. So we suggest staying away from pirated software and installing a decent antivirus. If you’re infected by ChromeLoader or would like to protect yourself from similar threats, download and install Malwarebytes. Malwarebytes comes in both a free and paid version but both are highly effective at removing threats.

Source: RedCanary
Tags: Google Chromemalwarepowershell
Share34Tweet20
Paul Anderson

Paul Anderson

Editor and chief at ZeroSecurity. Expertise includes programming, malware analysis, and penetration testing. If you would like to write for ZeroSecurity, please click "Contact us" at the top of the page.

Recommended For You

Emotet now utilizing Onenote for its spam campaigns

by Kyle
March 26, 2023
0
Emotet now utilizing Onenote for its spam campaigns

The infamous Emotet malware has adopted a new tactic to spread its infection. Cybercriminals are now distributing the malware via email attachments in Microsoft OneNote format. The move...

Read more

Netwire RAT seized by FBI and other worldwide police agencies

by Christi Rogalski
March 16, 2023
0
Netwire RAT seized by FBI and other worldwide police agencies

The FBI, in partnership with several police agencies worldwide, has carried out an international law enforcement operation resulting in the arrest of a suspected administrator of the NetWire...

Read more

The Emotet botnet returns and is sending a slew of malicious emails

by Kyle
March 14, 2023
0
The Emotet botnet returns and is sending a slew of malicious emails

The notorious Emotet botnet, considered one of the biggest threats to internet security, has resurfaced after a prolonged hiatus, armed with new tactics. The botnet's trademark strategy of...

Read more

Update-resistant malware infects SonicWall security appliances

by Paul Anderson
March 12, 2023
0
Update-resistant malware infects SonicWall security appliances

Researchers have discovered that threat actors linked to the Chinese government are using malware to infect SonicWall's Secure Mobile Access 100, a popular security appliance, which remains active...

Read more

Fake ChatGPT websites are popping up and spreading malware

by Paul Anderson
March 1, 2023 - Updated on March 2, 2023
0
ChatGPT is found spreading malware created in Python

It was only a matter of time before hackers would start using the growing popularity of ChatGPT to spread malware and steal sensitive personal information. Recently, multiple security...

Read more
Next Post
Microsoft Office zero-day exploit CVE-2022-30190

Microsoft Office Zero-day "Follina" Allows Attackers to Execute PowerShell Scripts

Related News

BreachForums Owner Arrested and Charged

BreachForums Owner Arrested and Charged

March 17, 2023
ChipMixer platform tied to crypto laundering scheme – seized by authorities

ChipMixer platform tied to crypto laundering scheme – seized by authorities

March 17, 2023
NSA intercepting U.S. Routers

NSA intercepting U.S. Routers

June 6, 2014 - Updated on March 17, 2023
Zerosecurity

We cover the latest in Information Security & Blockchain news, as well as threat trends targeting both sectors.

Categories

  • Crypto
  • Data Breaches
  • DotNet Framework
  • Downloads
  • Exploits
  • Exploits
  • Information
  • Legal
  • Malware
  • Malware Analysis
  • Mobile Security
  • Paper Downloads
  • Piracy
  • Privacy
  • Programming
  • Public
  • Security
  • Security
  • Software & Service Reviews
  • Technology
  • Tools
  • Tutorials
  • Video Tutorials
  • Whitepapers
  • Zero Security
  • Contact Us
  • List of our Writers

© 2022 ZeroSecurity, All Rights Reserved.

No Result
View All Result
  • Home
  • Security
  • Exploits
  • Data Breaches
  • Malware
  • Privacy
  • Mobile Security
  • Tools
  • Contact Us
  • Privacy Policy

© 2022 ZeroSecurity, All Rights Reserved.