The browser-hijacking malware called ChromeLoader is witnessing a new surge in activity since its discovery earlier this year, researchers at Red Canary, wrote in a blog post this week.
ChromeLoader uses PowerShell, an automation and configuration management framework, to add a malicious extension to a victim's Chrome browser for nefarious purposes. The malicious extension drastically modifies the victim's web browser settings to show search results that promote unwanted software, fake giveaways, surveys, and adult games and dating sites.
The malware's creators receive financial benefits due to the marketing affiliation from these ad-supported pages and redirect traffic to these commercial sites. There are multiple hijackers of this kind, but ChromeLoader is unique due to its persistence, volume, and infection route, which involves the aggressive use of PowerShell.
Exploiting PowerShell
According to Red Canary researchers, who have been tracking the strain since early February, the creators of the hijacker use a malicious ISO archive file to target their victims. ChromeLoader gets initial access into a system by being distributed as an ISO file that looks like a torrent or a cracked video game.
The researchers have also noticed Twitter posts promoting cracked Android games and offering QR codes that lead to malware-hosting sites.
When a victim double-clicks on the ISO file in Windows 10 or later, the ISO file will be mounted as a drive on the victim's machine. This ISO file contains an executable that pretends to be a game crack or keygen, using names like "CS_Installer.exe."
Finally, ChromeLoader executes and decodes a PowerShell command that fetches an archive from a remote resource and loads it as a Google Chrome extension.
Once the scheduled task executes PowerShell and loads the extension, it is silently removed with the PowerShell module invoke schtasks.exe and is often less frequently monitored as an anti-forensic methodology.
"This is a novel method for loading a malicious extension into Chrome that I have not seen before, nor has it been observed by Red Canary's intelligence team in other malware," researchers said. While other bad actors could capitalize on this method, they still need to place a portable executable on the victim machine to ultimately use the load-extension PowerShell technique."
Additionally, the creators of ChromeLoader target macOS systems by using DMG (Apple Disk Image) files, which is a more common format on macOS.
"To maintain persistence, the macOS variation of ChromeLoader will append a preference (`plist`) file to the `/Library/LaunchAgents` directory," explains Red Canary's report. This ensures that every time a user logs into a graphical session, ChromeLoader's Bash script can continually run."
