securityaffairs.co Open in urlscan Pro
2001:8d8:100f:f000::289  Public Scan

Form analysis
1 forms found in the DOM

Name: searchform — GET https://securityaffairs.co/wordpress/

<form role="search" method="get" name="searchform" id="searchform" action="https://securityaffairs.co/wordpress/">
  <div>
    <input type="text" value="" name="s" id="s" autocomplete="off" title="Search..." class="blur">
    <button type="submit">
      <i class="fa fa-search"></i>
    </button>
  </div>
  <div id="autocomplete"></div>
</form>

Text Content

 * Home
 * Cyber Crime
 * Cyber warfare
 * APT
 * Data Breach
 * Deep Web
 * Digital ID
 * Hacking
 * Hacktivism
 * Intelligence
 * Internet of Things
 * Laws and regulations
 * Malware
 * Mobile
 * Reports
 * Security
 * Social Networks
 * Terrorism
 * ICS-SCADA
 * EXTENDED COOKIE POLICY
 * Contact me


MUST READ

Headlines
 * A 15-Year-Old Unpatched Python bug potentially impacts over 350,000 projects
 * Atlassian Confluence bug CVE-2022-26134 exploited in cryptocurrency mining
   campaign
 * A disgruntled developer is the alleged source of the leak of the Lockbit 3.0
   builder
 * Over 39K unauthenticated Redis services on the internet targeted in
   cryptocurrency campaign
 * Hackers stole $160 Million from Crypto market maker Wintermute
 * U.S. gov adds more Chinese Telecom firms to the Covered List



 * Home
 * Cyber Crime
 * Cyber warfare
 * APT
 * Data Breach
 * Deep Web
 * Digital ID
 * Hacking
 * Hacktivism
 * Intelligence
 * Internet of Things
 * Laws and regulations
 * Malware
 * Mobile
 * Reports
 * Security
 * Social Networks
 * Terrorism
 * ICS-SCADA
 * EXTENDED COOKIE POLICY
 * Contact me


IT GIANTS WARN OF ONGOING CHROMELOADER MALWARE CAMPAIGNS

September 20, 2022  By Pierluigi Paganini


Powered by pixfutureⓘ


VMWARE AND MICROSOFT ARE WARNING OF A WIDESPREAD CHROMELOADER MALWARE CAMPAIGN
THAT DISTRIBUTES SEVERAL MALWARE FAMILIES.

ChromeLoader is a malicious Chrome browser extension, it is classified as a
pervasive browser hijacker that modifies browser settings to redirect user
traffic.

Powered by pixfutureⓘ

The malware is able to redirect the user’s traffic and hijacking user search
queries to popular search engines, including Google, Yahoo, and Bing. The
malicious code is also able to use PowerShell to inject itself into the browser
and added the extension to the browser.

In May, researchers from Red Canary observed a malvertising campaign spreading
the ChromeLoader malware that hijacks the victims’ browsers.

This week, VMware and Microsoft warned of an ongoing, widespread Chromeloader
malware campaign that is dropping malicious browser extensions, node-WebKit
malware, and ransomware.



Microsoft spotted an ongoing widespread click fraud campaign, the IT giant
attributes the campaign to a threat actor tracked as DEV-0796. Attackers attempt
to monetize clicks generated by a browser node-webkit or malicious browser
extension they have secretly installed on victims’ devices.

This attack chain starts with an ISO file that’s downloaded when a user clicks
malicious ads or YouTube comments. Upon opening the ISO file, a browser
node-webkit (NW.js) or a browser extension is installed. Experts also observed
threat actors using DMG files in order to target also macOS systems.

VMware published a report that provides technical details about multiple
Chromeloader variants that the company observed since August.

“While thought to be just a credential stealing browser hijacker, ChromeLoader
has been seen in its newest variants to be delivering more malicious malware and
used for other nefarious purposes.” reads the report published by the
virtualization giant.

As recently as late August, ChromeLoader has been used to drop ZipBombs onto
infected systems, the malware was used to destroy the user’s system by
overloading it with data.

Experts also observed the use of ChromeLoader to download the Enigma Ransomware
which is distributed in HTML attachments found in the ISO archive.  Upon opening
the attachment, it will launch the default browser, execute its embedded
javascript, and then follow its standard chain.  

Other notable variants are a fake version of OpenSubtitles, which is a
legitimate program that helps users find subtitles for popular movies and TV
shows, and a fake version of Flbmusic.exe which is a legitimate program for
cross-platform music playing. 

“It’s no surprise that this pesky adware has been one of our most frequent
attacks.  This campaign has gone through many changes over the past few months,
and we don’t expect it to stop.” concludes VMware. “As we’ve seen in previous
Chromeloader infections, this campaign widely leverages powershell.exe and is
likely to lead to more sophisticated attacks.”

Follow me on Twitter: @securityaffairs and Facebook



Pierluigi Paganini

(SecurityAffairs – hacking, malware)







Share this...

Facebook
Twitter
Linkedin


SHARE THIS:

 * Email
 * Twitter
 * Print
 * LinkedIn
 * Facebook
 * More
 * 

 * Tumblr
 * Pocket
 * 
 * 


ChromeLoaderCybercrimeHackinghacking newsinformation security newsIT Information
SecuritymalwarePierluigi PaganiniSecurity AffairsSecurity News


--------------------------------------------------------------------------------

SHARE ON

 * 
 * 
 * 
 * 
 * 
 * 
 * 


PIERLUIGI PAGANINI

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and
Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he
is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security
expert with over 20 years experience in the field, he is Certified Ethical
Hacker at EC Council in London. The passion for writing and a strong belief that
security is founded on sharing and awareness led Pierluigi to find the security
blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some
major publications in the field such as Cyber War Zone, ICTTF, Infosec Island,
Infosec Institute, The Hacker News Magazine and for many other Security
magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency
and Bitcoin”.




--------------------------------------------------------------------------------

PREVIOUS ARTICLE

Revolut security breach: data of +50,000 users exposed

NEXT ARTICLE

American Airlines disclosed a data breach

--------------------------------------------------------------------------------





YOU MIGHT ALSO LIKE


A 15-YEAR-OLD UNPATCHED PYTHON BUG POTENTIALLY IMPACTS OVER 350,000 PROJECTS

September 22, 2022  By Pierluigi Paganini

ATLASSIAN CONFLUENCE BUG CVE-2022-26134 EXPLOITED IN CRYPTOCURRENCY MINING
CAMPAIGN

September 22, 2022  By Pierluigi Paganini






 * SPONSORED CONTENT
   
   
 * 


 * PIXFUTURE

 * 


 * DIGGING THE DEEP WEB: EXPLORING THE DARK SIDE OF THE WEB


 * CENTER FOR CYBER SECURITY AND INTERNATIONAL RELATIONS STUDIES


 * SUBSCRIBE SECURITY AFFAIRS NEWSLETTER


 * SECURITYAFFAIRS AWARDED AS BEST EUROPEAN CYBERSECURITY TECH BLOG AT EUROPEAN
   CYBERSECURITY BLOGGER AWARDS




More Story

REVOLUT SECURITY BREACH: DATA OF +50,000 USERS EXPOSED

Revolut has suffered a cyberattack, threat actors have had access to personal
information of tens of thousands of customers. The...
Copyright 2021 Security Affairs by Pierluigi Paganini All Right Reserved.
Back to top
 * Home
 * Cyber Crime
 * Cyber warfare
 * APT
 * Data Breach
 * Deep Web
 * Digital ID
 * Hacking
 * Hacktivism
 * Intelligence
 * Internet of Things
 * Laws and regulations
 * Malware
 * Mobile
 * Reports
 * Security
 * Social Networks
 * Terrorism
 * ICS-SCADA
 * EXTENDED COOKIE POLICY
 * Contact me

We use cookies on our website to give you the most relevant experience by
remembering your preferences and repeat visits. By clicking “Accept All”, you
consent to the use of ALL the cookies. However, you may visit "Cookie Settings"
to provide a controlled consent.
Cookie SettingsAccept All
Manage consent
Close

PRIVACY OVERVIEW

This website uses cookies to improve your experience while you navigate through
the website. Out of these cookies, the cookies that are categorized as necessary
are stored on your browser as they are essential for the working of basic
functionalities...
Necessary
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly.
This category only includes cookies that ensures basic functionalities and
security features of the website. These cookies do not store any personal
information.
Non-necessary
Non-necessary
Any cookies that may not be particularly necessary for the website to function
and is used specifically to collect user personal data via analytics, ads, other
embedded contents are termed as non-necessary cookies. It is mandatory to
procure user consent prior to running these cookies on your website.
SAVE & ACCEPT