Posted on May 29, 2022 at 7:12 PM
Researchers have also warned those looking for cracked software or games. That is because malicious ISO archive files have increased their capabilities to infect systems with ChromeLoader.
The ChromeLeader malware has been detected several times this month, after a relatively quiet period for the malware since the beginning of the year. In the past, most detections and attacks by the malware were usually on Windows computers. But that has changed. Now, the attack is well equipped and updated to hit several operating systems, and sometimes launch attacks on mobiles as a way of getting more victims.
The ChromeLoader Malware Threatens Operating Systems
ChromeLoader is a browser hijacker that is launched by threat actors to change the target’s web settings to show search results like adult dating sites and games, fake giveaways, and unwanted software. The operator of the malware gains financially by redirecting user traffic to advertising sites.
Several hijackers work like ChromeLoader, but this malware stands out for its infection route, volume, and persistence. The developers and operators of the malware employ PowerShell aggressively.
Red Canary researchers stated that the malware operators use malicious ISO archive files to launch attacks on their targets. The researchers have been monitoring the activities of ChromeLoade since February this year.
The ISO camouflages as a cracked executable for a commercial software of a game, ensuring that the victims are more likely to download it themselves from malicious sites or torrents. The hackers generally target gamers or those that are more probably going to download the malware.
Additionally, the security researchers stated that they discovered Twitter posts that promote cracked Android games and offer QR codes that lead to malware-hosting sites.
When a user double-clicks on the ISO file Windows 10 or later version, it becomes represented as a virtual CD-ROM drive. There is an executable code on the ISO file that masks itself as a keygen or a game crack, using names like “CS_Installer.exe. Also, the ChromeLoader malware is capable of executing and decoding a PowerShell command that turns to an archive form from a remote resource, loading it as a Google Chrome extension.
When it is complete, the PowerShell takes out the scheduled task, which leaves the Chrome infected with a silently injected extension. This takes over the browser and manipulates the search engine result.
The ChromeLoader Malware Also Targets macOS systems
The threat actors and operators of the ChromeLoader are also targeting macOS systems, as they look to manipulate both Apple and Chrome’s Safari web browsers.
The macOS infection chain also follows a similar pattern for other systems. However, instead of ISO, the hackers use DMG (Apple Disk Image) files, which are more common for macOS systems.
Also, the macOS variant utilizes an installer bash script, instead of the installer executable. Here, the bash script is used for downloading and decompressing the ChromeLoader extension onto the “private/var/tmp” directory.
To maintain persistence and stay hidden for a long time, the macOS variation of ChromeLoader appends a preference (Plist) file to the /Library/LaunchAgents, according to the Red Canary researchers.
This means that whenever a user logs into a graphical session, the Bash script for ChromeLoader runs continuously. This method has been used to keep the malware safely hidden and away from security software while running underground and infecting more files.
How ChromeLoader Infects Systems
The researchers have explained that the ChrmeLoader malware has a very low precise flow. They noted that the corrupt files are advertised on social media services, while some victims download them from rogue sites or torrents. In some instances, some social media posts promote cracked Android games.
The ChromeLoader malware can use the PowerShell command to load in a Chrome extension, as the PowerShell removes the scheduled tasks, leaving the targeted system infected. Once the browser is compromised, the search engines may show bogus entries to users, with both Windows and macOS showing more vulnerability.
However, the researchers have recommended ways users can protect their systems from malware. The basic thing to do is to wait for product-centric updates and avoid cracked software. Users who notice unfamiliar software on their Chrome extensions are advised to apply clean-up methods immediately.
Additionally, they should be wary when installing a new extension on their browser, while ensuring that their systems are regularly updated. Generally, sers have been advised to follow basic security protocols to limit the level of exposure they may give malware.