Since its discovery early this year, a malvertising threat has seen a new rise in activity.
According to Aedan Russell of Red Canary, the virus is a “pervasive and persistent browser hijacker that alters its victims’ browser settings and redirects user traffic to advertisement websites.”
ChromeLoader is a rogue Chrome browser plugin that is generally delivered as ISO files through pay-per-install sites and baited social media posts that promote QR codes for cracked video games and pirated movies.
While it primarily works by diverting user search queries to Google, Yahoo, and Bing and redirecting traffic to an advertising site, it’s also remarkable for its use of PowerShell to inject itself into the browser and get the extension.
The virus, also known as Choziosi Loader, was initially discovered in February by G DATA.
For the time being, the only goal is to generate cash through uninvited adverts and search engine hijacking,” G DATA’s Karsten Hahn explained. “However, loaders seldom stay to a single payload in the long run, and malware developers improve their programs over time.”
Another trick ChromeLoader has up its sleeve is the ability to reroute users away from the Chrome extensions website (“chrome:/extensions”) if they try to uninstall the add-on.
Furthermore, researchers discovered a macOS variant of the virus that is compatible with both Chrome and Safari browsers, thereby making ChromeLoader a cross-platform threat.
“If applied to a higher-impact threat, such as a credential harvester or spyware,” Russell explained, “this PowerShell behavior might let malware get an early footing and go unnoticed before doing more openly malicious activities, such as exfiltrating data from a user’s browser sessions.”
