ChromeLoader malware surges to threaten global browsers
ChromeLoader malware surges to threaten global browsers.
According to the survey, compared to the stability since the beginning of the year, the number of ChromeLoader malware has increased this month, which will make browser hijacking a common threat.
ChromeLoader is a browser hijacker that modifies victims’ web browser settings to promote unwanted software, fake ads, and even display adult games and dating sites on search pages.
Threat actors redirect user traffic to advertising sites for financial gain through a marketing affiliate system.
While these types of hijackers are not uncommon, ChromeLoader stands out for its persistence, volume, and infection paths, including its ability to abuse PowerShell.
According to a Red Canary researcher who has been tracking ChromeLoader since February, hijackers use malicious ISO archives to infect their victims.
The ISO file is disguised as a cracked executable for a game or commercial software, so victims unknowingly download it from a torrent or malicious website.
The researchers also noticed that there were posts on Twitter promoting cracked Android games and offering QR codes, which also led users to malware-hosting sites.
When you double-click the ISO file in Windows 10 and above, the ISO file will be mounted as a virtual optical drive.
This ISO file contains an executable file with a name like “CS_Installer.exe” pretending to be a game cracker or keygen.
Finally, the ChromeLoader executes and decodes the PowerShell command, fetches the archive from the remote resource and loads it as a Google Chrome extension.
Once this is done, PowerShell will drop the scheduled task, infecting Chrome with a silently injected extension that hijacks the browser and manipulates search engine results.
The ChromeLoader malware also targets macOS and is designed to manipulate both Chrome and Apple’s Safari web browser.
The infection chain on macOS is similar, but threat actors use DMG (Apple Disk Image) files instead of ISOs, a more common format on this operating system.
However, the macOS variant uses the installer bash script to download and unpack the ChromeLoader extension to the “private/var/tmp” directory instead of the installer executable.
For persistence, the macOS version of ChromeLoader appends a preference (‘ plist ‘) file to the ‘/Library/LaunchAgents’ directory, which ensures that every time a user logs in to a graphical session, the ChromeLoader Bash script can continue to run .