ChromeLoader is a pervasive and persistent browser hijacker that modifies its victims’ browser settings and redirects user traffic to advertisement websites. This malware is introduced via an ISO file that baits users into executing it by posing as a cracked video game, pirated movie, or TV show. It eventually manifests as a browser extension. ChromeLoader has seen a vast increase in detections over the past couple weeks.
Like most suspicious browser extensions, ChromeLoader is a relatively benign threat that hijacks user search queries and redirects traffic to an advertising site. However, ChromeLoader uses PowerShell to inject itself into the browser and add a malicious extension to it, a technique not seen very often. This introduces the opportunity to go undetected before performing more overtly malicious activity, like exfiltrating data from a user’s browser sessions.
A MacOS version of the ChromeLoader malware was discovered in late April which is capable of loading malicious extensions into both the Chrome and Safari web browsers. The macOS variation has the same initial access technique as the Windows variant, namely that it uses baited social media posts with QR codes or links that direct users to malicious pay-per-install download sites. Instead of originating as an ISO, the macOS variation originates in an Apple Disk Image (DMG) file format. And unlike the Windows variation, the DMG file contains an installer script that drops payloads for either Chrome or Safari, not a portable executable file.
As a result, Ascend Technologies has pushed the detection ability of the known IOCs across our EDR, SIEM, and anti-malware platforms. These IOCs include IPs and hash values which will give us the ability to detect and alert. As is the case with most malware, end users are targeted which makes maintaining a robust security posture highly important, including end-user training, to develop safe and secure internet browsing habits.