/industry-wired/media/agency_attachments/2024/12/04/2024-12-04t130344212z-iw-new.png)
/industry-wired/media/agency_attachments/2024/12/04/2024-12-04t130332454z-iw-new.jpg)
/industry-wired/media/post_attachments/wp-content/uploads/2022/06/Ever-thought-Google-Chrome-could-pose-a-Threat-to-your-Business-Now-it-does.jpg)
Let’s know about the Google Chrome browser-hijacking malware known as ChromeLoader.
Malware is commonly spread using various techniques; phishing and social engineering are heavily used in malicious software distribution. The Google Chrome browser-hijacking malware known as ChromeLoader is becoming increasingly widespread and growing in sophistication. It is intended to install malicious extensions onto browsers. The browser is the front door to the Internet, and therefore the user’s first line of defense when people access applications.
ChromeLoader is a sophisticated malware that uses PowerShell, allowing for more advanced attacks such as ransomware, fileless malware, and malicious code memory injections. PowerShell is a cross-platform task automation solution made up of a command-line shell, a scripting language, and a configuration management framework. PowerShell runs on Windows, Linux, and macOS. It is commonly used for automating the management of systems. It is also used to build, test, and deploy solutions, often in CI/CD environments.
The ChromeLoader malware:
The ChromeLoader malware is seeing an uptick in detections this month, following a relatively stable volume since the start of the year, causing the browser hijack to become a widespread threat. This kind of threat drastically increases the attack surface, as today’s enterprises rely more on SaaS apps.
ChromeLoader is a browser hijacker that can modify the victim's web browser settings to show search results that promote unwanted software, fake giveaways and surveys, and adult games and dating sites. It has advertising-supported and browser-hijacker software functionalities. Typically, programs within the adware/ browser hijacker classifications do not use such sophisticated techniques as ChromeLoader.
The malware is using malicious optimal disc image (ISO) files often hidden in cracked or pirated versions of software or games. An optical disc image is a disk image that contains everything that would be written to an optical disc, disk sector by disc sector, including the optical disc file system. The ISO masquerades as a cracked executable for a game or commercial software, so the victims likely download it themselves from torrent or malicious sites.
Finally, ChromeLoader executes and decodes a PowerShell command that fetches an archive from a remote resource and loads it as a Google Chrome extension, the PowerShell will remove the scheduled task leaving Chrome infected with a silently injected extension that hijacks the browser and manipulates search engine results.
This malware aims to display deceptive/malicious advertisements and modify browser settings to cause redirects to fake search engines. The ChromeLoader observed infection chain began with Twitter posts advertising pirated content through QR codes that tricked victims into downloading an ISO file.
ChromeLoader's capabilities do not end with installing malicious extensions, it could carry out more advanced attacks as well. And it abuses PowerShell makes it incredibly dangerous since this can allow for more advanced attacks, such as ransomware, fileless malware, and malicious code memory injections