Nilaa Maharjan, Logpoint Global Services & Security Research

This blog post provides an overview of the research conducted on a surge of increasing threat – malvertizers, specifically, Chromeloader. The blog post is accompanied by a Logpoint Emerging Threats Protection report, covering detection methods, investigation playbooks, and recommended responses and best practices. However not specific to chrome, or the only variant running around, this case study is a real threat that has ramped up in recent weeks.

Dubbed ChromeLoader, the malware is a persistent browser hijacker that alters victims’ browser settings and redirects traffic to advertising websites. This malware is spread using an ISO file that pretends to be a cracked video game, a pirated movie, or a TV show to trick people into running it. It eventually takes the form of a browser add-on.

Newer attack vectors are on the rise – trying to move away massively from any system dependencies. Due to its prevalent market dominance and relaxed extension policies, the new target in town is Chrome.

ChromeLoader is a pretty innocent browser extension that hijacks user search queries and sends traffic to an advertising site, similar to most suspicious browser extensions. Colloquially known as “malvertising” ChromeLoader is rising as a campaign, a part of a larger and widespread financially motivated pattern. The attackers are assumed to be a part of a wider network of marketing affiliates and redirect the user to advertising sites. What ChromeLoader does differently than the rest of the malvertising campaigns is that it injects itself into the browser and adds a malicious extension to it using PowerShell, which is a technique that is not very often used and hence, often goes undetected by many security tools. More of a nuisance than an impactful threat, ChromeLoader might seem like a run-of-the-mill browser hijacker, but its peculiar use of PowerShell could spell deeper trouble – says Aedan Russell, a security researcher at Red Canary.

Attack Scenario

The malware operators use a malicious ISO archive file to invade the system similar to a previous malware loader we covered, the Bumblebee. This shows the growing use of loaders as an attack vector, particularly ISO. This file is advertised as a cracked executable for commercial software or a video game, allowing victims to download it via malicious websites or torrents.

In addition, malware authors are also spreading the infected executable through Twitter messages, which is how the first attack was found in the wild.

The file is mounted as a virtual CD-ROM drive when a user double-clicks it in Windows 10 or later systems. The main component in this ISO file, CS Installer.exe, masquerades as a keygen or game crack, but it unleashes the infection.

This is where it parts ways from Bumblebee, and what makes ChromeLoader more potent as it develops.

ChromeLoader runs/decodes a PowerShell command to retrieve an archive from the remote resource and installs it as a Chrome extension on the system. Following that, PowerShell deletes the scheduled task and infects Chrome with a hidden plugin that hijacks and manipulates the browser’s results.

ChromeLoader operators also target macOS systems to modify Safari and Chrome, according to Red Canary researchers. On macOS, the infection chain is identical, but instead of ISO files, attackers utilize DMG (Apple Disk Image) files.

Furthermore, with macOS, an installer bash script is used to download and decompress the malware extension onto the private/var/tmp directory, rather than the executable containing the installer.

Attack Flow

Here’s how it works:

  1. On Twitter and other social media platforms, fake files are propagated, usually as cracked “free“ versions of legitimate applications. Some of the infected computers get the virus from shady websites and/or torrents.
  2. Some social media posts use QR codes to promote allegedly cracked Android games, leading potential gamers to suspicious/phishing websites.
  3. The ISO file is mounted as a virtual CD-ROM by double-clicking it.
    The ISO’s executable purports to be the content that the victim was looking for.
  4. To load a Chrome extension from a remote resource, ChromeLoader uses a PowerShell command.
    The scheduled task is subsequently removed by PowerShell, and the victim is unaware that their browser has been hacked.
    At this point, the user will be presented with false search result entries that should not be trusted, irrespective of the page they are on.
  5. This attack also affects users of Mac OS X.
    Attackers employ DMG (Apple Disk Image) files instead of ISO files, which are a more frequent format on that OS.

Basics to stay clear from ChromeLoader

It’s a dangerous business looking for cracked games and software either from a private or an organizational standpoint. Many sites that promote malware disguised as “legitimate” crack websites are difficult to detect. If you’re downloading a torrent, you might as well be gambling with your devices’ digital health. It is a good idea to add ISO files to a list of items that can’t be downloaded in your organization.

Firstly, because ChromeLoader is distributed as an ISO file, and secondly, it is unlikely that your employees will need to handle ISO files at work.

As a result, it’s a good idea to add ISO files to your list of items that can’t be downloaded.

If an employee needs an ISO file to be downloaded from the internet, they should contact the IT team to make the necessary arrangements. Employees will be less likely to access infected ISO files if torrent sites like PirateBay are blocked, therefore including this in filters is recommended as well.

Finally, add ons like ChromeLoader prey on the gullibility of the average internet user.

A Chrome extension is a beneficial ally for the common individual, not something to be afraid of.
Deep discounts on video games and other items are fairly typical.
Individually, to check if an unknown extension has been downloaded and installed, one can:

  • Click the More icon in Chrome, then More Tools -> Extensions.
    You can check what’s installed, what’s active or disabled, and more information about all the extensions that are installed from there.
    Resetting browser settings and other cleanup methods are also recommended by Google.

This type of attack can be avoided by keeping your security software up to date and running regular scans. Before you utilize a downloaded file, you should always scan it. Remember that rogue extensions can come from anywhere, not only bad websites or malicious downloads.

Due to the more relaxed policies in the Chrome web store, there have been incidents of malicious extensions being available for download to the general public. Before installing a new extension to your browser, always check reviews, developer information, extension permissions, and anything else important.

ChromeLoader is an example of how quickly loader-based attacks have been rising. Even if an organization took Bumblebee seriously and set up all proper checkpoints, the attacks have been mutating at an alarming rate. As we pointed out previously, most SIEM and XDR solutions already lack the necessary analytics across numerous data sources. the real issue is that they rely on rule-based machine learning models that are fixed and unable to adapt to threat actors’ varying techniques and tools. This allows attackers to easily deliver malicious payloads once they have gained initial entry into the network, most often via a phishing attack.

We have created a curated list of Alerts that are available for download through the downloads page. Logpoint’s Security Research and Global Services teams have put together a report going into detail about the methods and evolution of ChromeLoader, best security practices, and how to detect, investigate, and respond using Logpoint.

ET Chrome loader blog visual (1)

For more in-depth information:

Download the report

For more in-depth information:

Download the report for free