ChromeLoader is a browser hijacker that can change the settings of the victim’s web browser to display search results that advertise unwanted software, phony freebies and surveys, as well as adult games and dating sites.
The malware’s administrators profit from a marketing affiliation system that redirects user traffic to advertising websites.
There are a lot of hijackers out there, but ChromeLoader stands out because of its persistence, volume, and infection path, which includes a lot of PowerShell.
PowerShell is being abused
According to Red Canary researchers who have been watching ChromeLoader’s activity since February of this year, the hijacker’s operators infect their victims with a malicious ISO archive file.
Because the ISO seems like a cracked executable for a game or commercial software, the victims are likely to download it from a torrent or rogue website.
Twitter tweets marketing hacked Android games and selling QR codes that lead to malware-hosting sites have also been discovered by the researchers.
When a user double-clicks on an ISO file in Windows 10 or later, it is mounted as a virtual CD-ROM drive. This ISO file contains a program that uses names like “CS Installer.exe” to pretend to be a game crack or keygen.
Finally, ChromeLoader runs and decodes a PowerShell command that downloads and loads an archive from a remote resource as a Google Chrome extension.
After that, PowerShell will delete the scheduled process, leaving Chrome infected with a covertly injected extension that hijacks the browser and tampers with search engine results.
macOS is a target
ChromeLoader’s operators are also interested in manipulating Mac OS X systems, specifically Chrome and Apple’s Safari web browsers.
On macOS, the infection chain is identical, except instead of ISO files, the threat actors utilize DMG (Apple Disk Image) files, which are a more popular format on that operating system.
Furthermore, the macOS version uses an installer bash script to download and decompress the ChromeLoader extension to the “private/var/tmp” directory instead of the installer executable.
“This ensures that ChromeLoader’s Bash script may execute every time a user connects into a graphical session.”
Check out this article for Chrome or this one for Safari to see what extensions are installed in your browser and how to manage, restrict, or remove them.
