A new campaign involving the distribution of a new variant of the search hijacker and adware browser extension called Shampoo has been discovered by HP’s threat research team (Wolf Security). This campaign, which began in March 2023, targets visitors of warez and pirated movie sites. The ChromeLoader malware, known for force-installing browser extensions that redirect search results to promote unwanted software, fake giveaways, surveys, adult games, dating sites, and other irrelevant content, has been a cause for concern in the past.
History of ChromeLoader Malware
In February 2022, analysts at Red Canary reported a sudden surge in ChromeLoader distribution, including macOS and Windows. By September, VMware and Microsoft issued warnings about a massive ChromeLoader campaign that could drop additional malware, including ransomware. More recently, in February 2023, security researchers at ASEC uncovered a campaign. In this ChromeLoader malware was distributed in VHD files named after popular video games.
Details of the Newest Campaign
According to HP’s analysts, the current campaign exploits a network of malicious websites that entice users with promises of free downloads of copyrighted music, movies, or video games. Instead of receiving legitimate media files or software installers, victims unknowingly download VBScripts that execute PowerShell scripts. These scripts set up a scheduled task prefixed with “chrome_” to ensure persistence on the infected system.
Once the scheduled task is triggered, a scripted series comes into action. They download a new PowerShell script and save it in the host’s registry under “HKCU:\Software\Mirage Utilities”. Simultaneously, the malicious Chrome extension, Shampoo, is fetched and installed. Shampoo, a variant of ChromeLoader, injects advertisements into websites visited by the victim and redirects search queries. In the analyzed sample, searches from the browser address bar or Google have redirected first to a website at ythingamgladt[.]com and then to Bing search results.
The Complexities of Removing ChromeLoader Shampoo
Removing ChromeLoader Shampoo is not a simple task, as highlighted by HP. Uninstalling the extension is insufficient since the malware employs looping scripts and a Windows-scheduled task to reinstall it whenever it is removed or the system is rebooted. Consequently, the malware persists on the system, continuously affecting the user’s browsing experience.
To eliminate ChromeLoader Shampoo, HP Wolf Security provides the following steps:
1. Remove any scheduled tasks prefixed with “chrome_”. Legitimate Chrome scheduled tasks typically begin with “Google”.
2. Delete the registry key “HKCU\Software\Mirage Utilities”.
3. Reboot the computer.
Additionally, BleepingComputer discovered PowerShell scripts that extract the malicious extension to the ‘C:\Users<user>\appdata\local\chrome_test’ folder, which should be deleted if present. HP advises users to complete these removal steps promptly to prevent the looping script from reinstalling the malware.
Identifying ChromeLoader Variants and Seeking Help
A simple method to determine if a ChromeLoader variant is running on a web browser is to verify whether Chrome is running with the “-load-extension” argument. Tools like Process Explorer can examine a process’s properties and view command-line arguments. HP acknowledges that individuals infected with ChromeLoader, particularly those in corporate environments, might hesitate to seek assistance from their IT departments due to concerns about violating company policies by downloading software from untrustworthy sources. However, the threat posed by adware should not be underestimated. It is still a trojan. It could potentially cause significant damage if its operators decide to seek more aggressive monetization pathways.
Hence it is crucial not to overlook or downplay the threat of adware. It operates as a Trojan on the system and can potentially cause further harm at any given time. The operators behind the ChromeLoader malware may pursue more aggressive monetization strategies, putting users at even greater risk.
Fear of the Consequences
In corporate environments, the fear of the consequences of breaking company policies by downloading software from questionable sources often prevents individuals from seeking help from their IT departments. However, HP emphasizes the importance of addressing the adware issue promptly.
