The ChromeLoader browser hijacker has been increasingly active in attacking several browsers this month. A constant increase in the volume of attacks has been detected since the year started.
The hijacker alters victims’ web browser settings to portray search results with unwanted software, adult games, explicit content, fake giveaways and dating websites.
Its operators receive monetary profit through a marketing affiliation system that redirects traffic users to advertising websites. In addition, a Twitter post was seen by researchers endorsing cracked Android games that offer a QR code that redirects unaware users to malware-hosted sites.
Moreover, ChromeLoader is infamous for its infection route, persistence, and massive volume of numbers.
Researchers indicated that ChromeLoader hijacker uses a compromised ISO archive file as a vector for infection.
The ISO that ChromeLoader hijacker uses is disguised as a cracked[.]exe for software or game to deceive its victims into downloading the file by themselves from the malicious or torrent sites. If a user accesses the ISO file in Windows 10 or the previous version, it will be mounted by the malware as a virtual CD-ROM drive. The file has a [.]exe that will behave as a cracked keygen or game, coded as CS_Installer[.]exe.
ChromeLoader will then execute and decode a PowerShell command to retrieve an archive from a remote resource, which the library is loaded as a Google Chrome extension. Therefore, a PowerShell script can remove a scheduled task that will leave Chrome infected with an infected extension that hijacks the browser.
Subsequently, the threat actors will tamper with the infected browser and portray malicious entities in search engine results.
The ChromeLoader can also target macOS systems and manipulate Apple’s Safari web browsers. Furthermore, the infection process on macOS uses Apple Disk Image files instead of ISO files.
The recent discovery will help cybersecurity experts develop an in-depth defence against the ChromeLoader hijacker. It also shows how threats utilise sketchy ISO files and PowerShell commands.
Experts suggest checking the guidelines for Safari and Chrome to manage, restrict, or remove infectious extensions to protect devices.
