Friday, March 29, 2024

ChromeLoader – New Malware Using a browser Extension to Attack Organizations

New variants of ChromeLoader, a malware that steals information from websites, have been discovered by security researchers at Palo Alto Networks Unit 42, demonstrating how quickly the malware is evolving its features over time.

Malware such as ChromeLoader hijacks victims’ browser searches to display advertisements and hacks their browser search engine results. 

In January 2022, ChromeLoader was discovered and is being distributed as ISO or DMG files that can be downloaded from sites like Twitter and free gaming websites by using QR codes attached to the URL.

A number of cybersecurity groups have also given ChromeLoader the following names:-

  • Choziosi Loader
  • ChromeBack

Different Variants

Here below we have mentioned all the different variants of this malware:-

  • Variant 0: The Real First Windows Variant
  • Variant 1: Infection Vector
  • Variant 2: Second Windows Variant
  • MacOS Variant

Technical Analysis

In the case of the adware in question, what is noteworthy is that it has been crafted as an extension for the browser rather than an executable (.exe) or Dynamic Link Library (.dll) for Windows.

As a general rule, these infections are spread through malicious advertising campaigns on pay-per-install sites and social media that are meant to lure users into downloading fake movie torrents or fake cracked video games and software.

In addition, it has also been designed so that it can intercept all searches performed by users using search engines like:-

  • Google
  • Yahoo
  • Bing 

This allows the threat actors to gather sensitive information about the users’ online activities by accessing their web browser data and manipulating web requests.

Initially, ChromeLoader malware was seen targeted at Windows users in January, and a macOS variant was seen targeted at macOS users in March.

There are several attacks that have been attributed to the malware, although the first reported attack occurred in December 2021. In that case, the executable was created using an AutoHotKey compiler, as opposed to the ISO files that are now commonly seen.

In addition, it is also claimed that the first version of this malware lacks obfuscation abilities. In later iterations of the malware, this feature has been incorporated in order to disguise the purpose and the malicious code behind the malware.

It is clear from this attack chain that two emerging trends are gaining popularity among malware authors – the use of ISO (and DMG) files, as well as the use of browser extensions – that security products and even average users, should be aware of.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.

Website

Latest articles

How to Analyse .NET Malware? – Reverse Engineering Snake Keylogger

Utilizing sandbox analysis for behavioral, network, and process examination provides a foundation for reverse...

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

GoPlus Labs, the leading Web3 security infrastructure provider, has unveiled a groundbreaking report highlighting...

Wireshark 4.2.4 Released: What’s New!

Wireshark stands as the undisputed leader, offering unparalleled tools for troubleshooting, analysis, development, and...

Zoom Unveils AI-Powered All-In-One AI Work Workplace

Zoom has taken a monumental leap forward by introducing Zoom Workplace, an all-encompassing AI-powered...

iPhone Users Beware! Darcula Phishing Service Attacking Via iMessage

Phishing allows hackers to exploit human vulnerabilities and trick users into revealing sensitive information...

2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles