ChromeLoader – New Malware Using a browser Extension to Attack Organizations

New variants of ChromeLoader, a malware that steals information from websites, have been discovered by security researchers at Palo Alto Networks Unit 42, demonstrating how quickly the malware is evolving its features over time.

Malware such as ChromeLoader hijacks victims’ browser searches to display advertisements and hacks their browser search engine results. 

In January 2022, ChromeLoader was discovered and is being distributed as ISO or DMG files that can be downloaded from sites like Twitter and free gaming websites by using QR codes attached to the URL.

A number of cybersecurity groups have also given ChromeLoader the following names:-

• Choziosi Loader
• ChromeBack

Different Variants

Here below we have mentioned all the different variants of this malware:-

• Variant 0: The Real First Windows Variant
• Variant 1: Infection Vector
• Variant 2: Second Windows Variant
• MacOS Variant

Technical Analysis

In the case of the adware in question, what is noteworthy is that it has been crafted as an extension for the browser rather than an executable (.exe) or Dynamic Link Library (.dll) for Windows.

As a general rule, these infections are spread through malicious advertising campaigns on pay-per-install sites and social media that are meant to lure users into downloading fake movie torrents or fake cracked video games and software.

In addition, it has also been designed so that it can intercept all searches performed by users using search engines like:-

• Google
• Yahoo
• Bing

This allows the threat actors to gather sensitive information about the users’ online activities by accessing their web browser data and manipulating web requests.

Initially, ChromeLoader malware was seen targeted at Windows users in January, and a macOS variant was seen targeted at macOS users in March.

There are several attacks that have been attributed to the malware, although the first reported attack occurred in December 2021. In that case, the executable was created using an AutoHotKey compiler, as opposed to the ISO files that are now commonly seen.

In addition, it is also claimed that the first version of this malware lacks obfuscation abilities. In later iterations of the malware, this feature has been incorporated in order to disguise the purpose and the malicious code behind the malware.

It is clear from this attack chain that two emerging trends are gaining popularity among malware authors – the use of ISO (and DMG) files, as well as the use of browser extensions – that security products and even average users, should be aware of.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.