This month, the number of attacks using ChromeLoader malware has sharply increased, experts from Red Canary warn.
ChromeLoader is a browser interceptor capable of modifying the victim’s browser settings so that the search results display resources with unwanted software, fraudulent promotions and research, adult games and dating sites. Its operators make a profit by redirecting user traffic to advertising sites.
ChromeLoader differs from other interceptors of this kind in its ability to maintain consistency on the system, the scale of attacks and aggressive use of PowerShell.
To infect victims, the malware uses a malicious ISO archive file disguised as a hacked game or commercial software. That is, the victims themselves download it from torrents or malicious sites.
When the user double-clicks on this file on a computer running Windows 10 or 11, it will be installed as a virtual CD-ROM. The file contains an executable file CS_Installer.exe , issued as a game/software activation key.
Eventually, ChromeLoader executes and decodes a PowerShell command that extracts an archive from a remote resource and downloads it as an extension for Google Chrome. Next, PowerShell deletes the scheduled task, leaving Chrome infected with a secretly embedded extension that manipulates search results.
ChromeLoader also attacks macOS and can fake search results in both Chrome and Apple Safari, but DMG (Apple Disk Image) files are used instead of the ISO file.