Google malvertising threat

A malvertising threat has been rising since its emergence earlier this year.  The malware, known as ChromeLoader, is a “pervasive and persistent browser hijacker that modifies its victims’ browser settings and redirects user traffic to advertisement websites,” Aedan Russell of Red Canary said in a new report.

ChromeLoader, a rogue Chrome browser extension, is usually circulated in the form of ISO files via pay-per-install sites and social media posts that promote QR codes to cracked video games and pirated movies. 

While it mainly works by hijacking user search queries to Google, Yahoo, and Bing and redirecting traffic to an advertising site, it also uses Powershell to plant itself into the browser and get the extension.

“For now the only purpose is getting revenue via unsolicited advertisements and search engine hijacking,” G DATA’s Karsten Hahn said. “But loaders often do not stick to one payload in the long run and malware authors improve their projects over time.”

Another trick up ChromeLoader’s sleeve is its ability to redirect victims from the Chrome extensions page (“chrome://extensions”) should they attempt to remove the add-on.

Moreover, researchers have identified a macOS version of the malware that functions against both Chrome and Safari browsers, making ChromeLoader a cross-platform threat.

“If applied to a higher-impact threat — such as a credential harvester or spyware — this PowerShell behavior could help malware gain an initial foothold and go undetected before performing more overtly malicious activity, like exfiltrating data from a user’s browser sessions,” Russell noted.