Friday, November 1, 2024
HomeMalwareChromeloader Malware Drops Malicious Browser Extensions to Track User's Online Activity

Chromeloader Malware Drops Malicious Browser Extensions to Track User’s Online Activity

Published on

Malware protection

An ongoing, widespread Chromeloader malware campaign has been warned by Microsoft and VMware. It has been identified that this malicious campaign is dropping node-WebKit malware and ransomware, as well as dangerous browser extensions.

ChromeLoader was observed in the wild for the first time in January 2022 for Windows users and in March 2022 for Mac users by the VMware Carbon Black Managed Detection and Response (MDR) team.

The ChromeLoader is one of the most widespread and persistent malware programs on the web. A surge in Chromeloader infections occurred in Q1 2022, with the cybersecurity researchers from Red Canary theorizing the malware was used by affiliate marketers and advertisers to defraud them of their money.

- Advertisement - SIEM as a Service

To perform click fraud and earn money for the threat actors, the malware infects Chrome with a malicious extension in order to redirect user traffic to advertising websites.

Technical Analysis

The malicious campaign that caused this problem was traced back to a threat actor tracked as DEV-0796 that infected victims with several different types of malware by using Chromeloader.

In addition to ChromeLoader, there are several variants of the program such as ChromeBack and Choziosi Loader which are known.

The malware called ChromeLoader is delivered in the form of ISO files that may be downloaded from any of the following sources:-

  • Malicious ads
  • Browser redirects
  • YouTube video comments

After Microsoft began blocking Office macros by default, ISO files have become one of the most popular methods of distributing malware.

Additionally, Windows 10 and later automatically mount ISO files as CDROMs when double-clicking them. By doing so, they provide an efficient method for disseminating multiple malware files simultaneously.

There are four files that are commonly included in ChromeLoader ISOs:-

  • A ZIP archive containing the malware
  • An ICON file
  • A batch file (commonly named Resources.bat) 

A batch file is then created, which launches a batch program, and is installed along with the malware.

In the past few months, VMware has tested quite a few Chromeloader variations, but the most interesting ones have appeared after August when VMware began testing them for the first time.

A program mimicking OpenSubtitles can be seen as the first example, which allows users to locate subtitles for movies or TV shows by using a specialized application.

There was a noticeable change in the threat actors’ usual “Resources.bat” file during this campaign. As soon as this file was switched, the malware was installed in the registry, and persistence was established by adding registry keys to the registry file.

The Enigma ransomware has been seen to be deployed as an HTML file using some recent Chromeloader variants. The Enigma ransomware strain is an old one that uses a JavaScript installation process to spread.

Chromeloader was originally developed as adware. This is a perfect example of threat actors finding a more profitable alternative to advertising fraud by experimenting with more powerful payloads.

Download Free SWG – Secure Web Filtering – E-book

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

LightSpy iOS Malware Enhanced with 28 New Destructive Plugins

The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS...

ATPC Cyber Forum to Focus on Next Generation Cybersecurity and Artificial Intelligence Issues

White House National Cyber Director, CEOs, Key Financial Services Companies, Congressional and Executive Branch...

New PySilon RAT Abusing Discord Platform to Maintain Persistence

Cybersecurity experts have identified a new Remote Access Trojan (RAT) named PySilon. This Trojan...

Konni APT Hackers Attacking Organizations with New Spear-Phishing Tactics

The notorious Konni Advanced Persistent Threat (APT) group has intensified its cyber assault on...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

LightSpy iOS Malware Enhanced with 28 New Destructive Plugins

The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS...

New PySilon RAT Abusing Discord Platform to Maintain Persistence

Cybersecurity experts have identified a new Remote Access Trojan (RAT) named PySilon. This Trojan...

Notorious WrnRAT Delivered Mimic As Gambling Games

WrnRAT is a new malware attack that cybercriminals have deployed by using popular gambling...