Researchers at RedCanary (thanks, bleepingcomputer) have noticed an uptick in ChromeLoader activity since the beginning of the year. This malware can completely take over your browser, manipulating search results in an effort to get you to click into a network of shady malicious sites and potentially steal your user data.
This nasty bit of malware is what is called a browser hijacker. It changes a user's browser settings to display search results and ads for bogus sites, surveys, and even adult games on both Windows PCs and macOS systems. Despite being called ChromeLoader, it does affect Apple Safari in addition to Google Chrome.
According to RedCanary's research, the way ChromeLoader infiltrates most systems is by way of a malicious ISO archive file disguised as a cracked executable for a computer game or commercial software and distributed through torrent sites. Additionally, QR codes inside of Twitter posts promoting cracked Android games have also been found to contain links to ChromeLoader distributing sites.
- A web3 free-to-play survival game found to be a front for installing malware on your PC has finally been removed from Steam
- An FPS studio pulled its game from Steam after it got caught linking to malware disguised as a demo, but the dev insists it was actually the victim of a labyrinthine conspiracy
In most cases, after being infected with a browser hijacker the user is redirected to a series of bad sites that are usually part of an affiliate network. Each visit to these sites funnels revenue to the malware's creator. ChromeLoader does that and more.
RedCanary says that "ChromeLoader uses PowerShell to inject itself into the browser and add a malicious extension to it, a technique we don’t see very often (and one that often goes undetected by other security tools)."
RedCanary goes on to outline a worst case scenario for this kind of malware: "If applied to a higher-impact threat—such as a credential harvester or spyware—this PowerShell behavior could help malware gain an initial foothold and go undetected before performing more overtly malicious activity, like exfiltrating data from a user’s browser sessions."
On Macs, ChromeLoader has a similar MO where once you double-click on the DMG file, its installer script takes over and the bad browser extension starts to do its thing.
The best advice we can give is that if you frequent torrent sites, exercise an extra layer of caution when clicking on any links, and don't open any executable files you don't recognize. And if you see an advertisement for a cracked version of Cyberpunk 2070, just don't click on it.
