An ongoing, widespread Chromeloader malware campaign has been warned by Microsoft and VMware. It has been identified that this malicious campaign is dropping node-WebKit malware and ransomware, as well as dangerous browser extensions.

ChromeLoader was observed in the wild for the first time in January 2022 for Windows users and in March 2022 for Mac users by the VMware Carbon Black Managed Detection and Response (MDR) team.

The ChromeLoader is one of the most widespread and persistent malware programs on the web. A surge in Chromeloader infections occurred in Q1 2022, with the cybersecurity researchers from Red Canary theorizing the malware was used by affiliate marketers and advertisers to defraud them of their money.

To perform click fraud and earn money for the threat actors, the malware infects Chrome with a malicious extension in order to redirect user traffic to advertising websites.

Technical Analysis

The malicious campaign that caused this problem was traced back to a threat actor tracked as DEV-0796 that infected victims with several different types of malware by using Chromeloader.

In addition to ChromeLoader, there are several variants of the program such as ChromeBack and Choziosi Loader which are known.

The malware called ChromeLoader is delivered in the form of ISO files that may be downloaded from any of the following sources:-

• Malicious ads
• Browser redirects
• YouTube video comments

After Microsoft began blocking Office macros by default, ISO files have become one of the most popular methods of distributing malware.

Additionally, Windows 10 and later automatically mount ISO files as CDROMs when double-clicking them. By doing so, they provide an efficient method for disseminating multiple malware files simultaneously.

There are four files that are commonly included in ChromeLoader ISOs:-

• A ZIP archive containing the malware
• An ICON file
• A batch file (commonly named Resources.bat) 

A batch file is then created, which launches a batch program, and is installed along with the malware.

In the past few months, VMware has tested quite a few Chromeloader variations, but the most interesting ones have appeared after August when VMware began testing them for the first time.

A program mimicking OpenSubtitles can be seen as the first example, which allows users to locate subtitles for movies or TV shows by using a specialized application.

There was a noticeable change in the threat actors’ usual “Resources.bat” file during this campaign. As soon as this file was switched, the malware was installed in the registry, and persistence was established by adding registry keys to the registry file.

The Enigma ransomware has been seen to be deployed as an HTML file using some recent Chromeloader variants. The Enigma ransomware strain is an old one that uses a JavaScript installation process to spread.

Chromeloader was originally developed as adware. This is a perfect example of threat actors finding a more profitable alternative to advertising fraud by experimenting with more powerful payloads.

Download Free SWG – Secure Web Filtering – E-book