The distribution of the ChromeLoader malware(opens in new tab) has spiked in recent months, turning a relative nuisance into a full-blown threat. Researchers from Red Canary have been tracking the malware for the past five months, and claim the threat has risen significantly.
According to the research, the attackers are targeting both Windows and macOS users, distributing the malware via torrent files masquerading as cracks for software and games. They’re also using social media sites, such as Twitter, to promote the torrent links, sharing QR codes leading to the sites that host the malware.
The goal is to have the victims download the files themselves. For Windows targets, the files come in an .ISO archive which, when mounted with a virtual CD-ROM drive, displays an executive file posing as a crack or a keygen. Researchers are saying that its most likely filename is “CS_Installer.exe”.
Once the victim runs the file, it executes and decodes a PowerShell command that pulls an archive from the server, and loads it as an extension for the Google Chrome browser(opens in new tab). After that, PowerShell removes the scheduled task, leaving no traces of its presence.
The methodology for macOS is somewhat different; instead of an ISO, the attackers use DMG files, which are more common on the platform. It also swaps the installer executable for an installer bash script that downloads and decompresses the extension into “private/var/tmp”.
ChromeLoader is described as a browser hijacker that can tweak browser settings on the target endpoint(opens in new tab), making it show modified search results. By showing fake giveaways, dating sites, or unwanted third-party software, the threat actors earn commission in affiliate programs.
What makes ChromeLoader stand out in a sea of similar browser hijackers is its persistence, volume and infection route, the researchers said.