Since early February, Red Canary researchers have been monitoring malware that infects its victims' browsers and penetrates their browsing. But in recent days, this virus appears to have become more active and poses an increased risk to all Chrome users.
The virus, or as ChromeLoader calls it, spreads into ISO files disguised as cracked video games or pirated movies and TV shows. One of the vectors of infection is posts on Twitter that offer cracked Android games and ask users to scan the QR code to get them. If a person scans the code, it will be redirected to a malicious site that contains a malicious ISO file.
Once the ISO is installed, an executive file appears pretending to be a game hack, which is actually a program that installs ChromeLoader as an accessory for Chrome browser. Once installed, it takes care to modify Chrome settings and if the user tries to search, the results will show sites with unwanted software, fake surveys, or adult sites. Consequently, malware developers earn money thanks to the advertising revenue generated by these redirects.
As researchers at Red Canary have noted, this behavior is very common for malware of its kind and is generally not considered too dangerous. However, what distinguishes ChromeLoader from others is its use of PowerShell to insert itself into the browser and install extension, a technology that is unusual and they say is sometimes not detected by security software.
"If applied to a threat that has a greater impact - such as malware that collects credentials or spyware - this PowerShell behavior may help obtain and not detect initial access until it engages in more harmful activities, such as extracting data from user browser sessions.
To avoid uninstall, ChromeLoader aggressively redirects users once they try to access the Extension Management page.
But Windows users aren't the only ones threatened by ChromeLoader. Those on macOS are also targeted, with a variable capable of installing malicious extensions on both Chrome and Safari. The injury and malware behavior are similar to windows version, except for using the DMG format for files instead of the ISO format.
Source: BleepingComputer / The Hacker News
Comments
Post a Comment