Researchers have spotted a new browser hijacker in the wild, identified as “ChromeLoader” malware. This malware is running active campaigns impersonating cracked software or pirated videos. Upon infecting a device, it can meddle with the target browser’s settings and steal stored information.
About ChromeLoader Malware
As elaborated in a detailed post, researchers from Red Canary have noticed active ChromeLoader malware campaigns for several months.
Briefly, the malware reaches target devices by posing as cracked software or pirated media as an ISO file. It spreads via social media platforms like Twitter to lure users. Upon reaching the device, it establishes itself as a browser extension, taking control of the browser.
It hijacks the browser to spy on all user activities, including search queries. Plus, it also redirects the user to malicious websites.
After infecting the device, ChromeLoader gains persistence by exploiting Windows Task Scheduler via a .NET wrapper.
ChromeLoader exhibits resistance against removal by redirecting the user away from the extensions page upon detecting removal attempts.
While the researchers spotted the malware targeting Windows devices, they acknowledge other researchers’ previous works highlighting ChromeLoader’s campaigns against macOS. It shows how the attackers are extensively targeting the users across various devices.
While the malware presently demonstrates browser hijacking, the researchers suspect it can also serve as a credential harvester. Explaining this phenomenon, the researchers stated,
ChromeLoader uses PowerShell to inject itself into the browser and add a malicious extension to it, a technique we don’t see very often (and one that often goes undetected by other security tools). If applied to a higher-impact threat—such as a credential harvester or spyware—this PowerShell behavior could help malware gain an initial foothold and go undetected before performing more overtly malicious activity, like exfiltrating data from a user’s browser sessions.
The researchers have shared the technical aspects of the malware in their post.
Stay Wary Of Untrusted Downloads
Given its distribution source, it’s evident that users can easily prevent such attacks by simply avoiding clicking on random files on social media. Although downloading cracked software or pirated content sounds lucrative, it’s a primary means through which attackers target users. Therefore, users should avoid downloading any files from untrusted sources.
Is this related to the malware that was being spread on Twitter via QR codes claiming to be cracked Adobe CC from a few months ago?
Comments are closed.