threatpost.com
Open in
urlscan Pro
35.173.160.135
Public Scan
URL:
https://threatpost.com/chromeloader-hijacker-threats/179761/
Submission Tags: falconsandbox
Submission: On June 01 via api from US — Scanned from DE
Submission Tags: falconsandbox
Submission: On June 01 via api from US — Scanned from DE
Form analysis 4 forms found in the DOM
POST /chromeloader-hijacker-threats/179761/#gf_5
<form method="post" enctype="multipart/form-data" target="gform_ajax_frame_5" id="gform_5" action="/chromeloader-hijacker-threats/179761/#gf_5">
<div class="gform_body gform-body">
<ul id="gform_fields_5" class="gform_fields top_label form_sublabel_below description_below">
<li id="field_5_8" class="gfield field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label screen-reader-text" for="input_5_8">Your name</label>
<div class="ginput_container ginput_container_text"><input name="input_8" id="input_5_8" type="text" value="" class="medium" placeholder="Your name" aria-invalid="false"> </div>
</li>
<li id="field_5_1" class="gfield gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label screen-reader-text" for="input_5_1">Your e-mail address<span
class="gfield_required"><span class="gfield_required gfield_required_asterisk">*</span></span></label>
<div class="ginput_container ginput_container_email">
<input name="input_1" id="input_5_1" type="text" value="" class="medium" placeholder="Your e-mail address" aria-required="true" aria-invalid="false">
</div>
</li>
<li id="field_5_9" class="gfield js-kaspersky-gform-recaptcha-placeholder gform_hidden field_sublabel_below field_description_below gfield_visibility_hidden">
<div class="ginput_container ginput_container_text"><input name="input_9" id="input_5_9" type="hidden" class="gform_hidden" aria-invalid="false" value=""></div>
</li>
<li id="field_5_2" class="gfield input-without-label label-gdpr gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label screen-reader-text gfield_label_before_complex"><span
class="gfield_required"><span class="gfield_required gfield_required_asterisk">*</span></span></label>
<div class="ginput_container ginput_container_checkbox">
<ul class="gfield_checkbox" id="input_5_2">
<li class="gchoice gchoice_5_2_1">
<input class="gfield-choice-input" name="input_2.1" type="checkbox" value="I agree" id="choice_5_2_1">
<label for="choice_5_2_1" id="label_5_2_1">I agree to my personal data being stored and used to receive the newsletter</label>
</li>
</ul>
</div>
</li>
<li id="field_5_5" class="gfield input-without-label label-gdpr gfield_contains_required field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label screen-reader-text gfield_label_before_complex"><span
class="gfield_required"><span class="gfield_required gfield_required_asterisk">*</span></span></label>
<div class="ginput_container ginput_container_checkbox">
<ul class="gfield_checkbox" id="input_5_5">
<li class="gchoice gchoice_5_5_1">
<input class="gfield-choice-input" name="input_5.1" type="checkbox" value="I agree" id="choice_5_5_1">
<label for="choice_5_5_1" id="label_5_5_1">I agree to accept information and occasional commercial offers from Threatpost partners</label>
</li>
</ul>
</div>
</li>
<li id="field_5_10" class="gfield gform_validation_container field_sublabel_below field_description_below gfield_visibility_visible"><label class="gfield_label" for="input_5_10">Name</label>
<div class="ginput_container"><input name="input_10" id="input_5_10" type="text" value=""></div>
<div class="gfield_description" id="gfield_description_5_10">This field is for validation purposes and should be left unchanged.</div>
</li>
</ul>
</div>
<div class="gform_footer top_label"> <input type="submit" id="gform_submit_button_5" class="gform_button button screen-reader-text" value="Subscribe"
onclick="if(window["gf_submitting_5"]){return false;} window["gf_submitting_5"]=true; "
onkeypress="if( event.keyCode == 13 ){ if(window["gf_submitting_5"]){return false;} window["gf_submitting_5"]=true; jQuery("#gform_5").trigger("submit",[true]); }" disabled="disabled"
style="display: none;"> <input type="hidden" name="gform_ajax" value="form_id=5&title=&description=&tabindex=0">
<input type="hidden" class="gform_hidden" name="is_submit_5" value="1">
<input type="hidden" class="gform_hidden" name="gform_submit" value="5">
<input type="hidden" class="gform_hidden" name="gform_unique_id" value="">
<input type="hidden" class="gform_hidden" name="state_5" value="WyJbXSIsImIwODQwZTA2ZGQ0NzYwODcyOTBkZjNmZDM1NDk2Y2ZkIl0=">
<input type="hidden" class="gform_hidden" name="gform_target_page_number_5" id="gform_target_page_number_5" value="0">
<input type="hidden" class="gform_hidden" name="gform_source_page_number_5" id="gform_source_page_number_5" value="1">
<input type="hidden" name="gform_field_values" value="">
</div>
<p style="display: none !important;"><label>Δ<textarea name="ak_hp_textarea" cols="45" rows="8" maxlength="100"></textarea></label><input type="hidden" id="ak_js_1" name="ak_js" value="1654041695025">
<script>
document.getElementById("ak_js_1").setAttribute("value", (new Date()).getTime());
</script>
</p>
</form>GET https://threatpost.com/
<form class="c-site-search__form" role="search" method="get" action="https://threatpost.com/">
<input type="text" class="c-site-search__field" name="s" placeholder="Search">
<button type="submit" class="c-button c-button--secondary c-button--smaller c-site-search__button" value="Search"><svg class="icon fill">
<use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://threatpost.com/wp-content/themes/threatpost-2018/assets/sprite/icons.svg#icon-search"></use>
</svg> Search</button>
<div class="c-site-search__overlay"></div>
</form>POST https://threatpost.com/wp-comments-post.php
<form action="https://threatpost.com/wp-comments-post.php" method="post" id="commentform" class="comment-form">
<div class="o-row">
<div class="o-col-12@md">
<div class="c-form-element"><textarea id="comment" name="comment" cols="45" rows="8" aria-required="true" placeholder="Write a reply..."></textarea></div>
</div>
</div>
<div class="o-row">
<div class="o-col-6@md">
<div class="c-form-element"><input id="author" name="author" placeholder="Your name" type="text" value="" size="30"></div>
</div>
<div class="o-col-6@md">
<div class="c-form-element"><input id="email" name="email" placeholder="Your email" type="text" value="" size="30"></div>
</div>
</div>
<p class="form-submit"><input name="submit" type="submit" id="submit" class="c-button c-button--primary" value="Send Comment"> <input type="hidden" name="comment_post_ID" value="179761" id="comment_post_ID">
<input type="hidden" name="comment_parent" id="comment_parent" value="0">
</p>
<p style="display: none;"><input type="hidden" id="akismet_comment_nonce" name="akismet_comment_nonce" value="36d325fe6e"></p><!-- the following input field has been added by the Honeypot Comments plugin to thwart spambots -->
<input type="hidden" id="1BHOqgtWehbXHam4H7o6NXVXI" name="uF7noHbzgs0XqwTYoN5qFQvNe">
<script type="text/javascript">
document.addEventListener("input", function(event) {
if (!event.target.closest("#comment")) return;
try {
grecaptcha.render("recaptcha-submit-btn-area", {
"sitekey": "6LfsdrAaAAAAAMVKgei6k0EaDBTgmKv6ZQrG7aEs",
"theme": "standard"
});
} catch (error) {
/*possible duplicated instances*/ }
});
</script>
<script src="https://www.google.com/recaptcha/api.js?hl=en&render=explicit" async="" defer=""></script>
<div id="recaptcha-submit-btn-area"> </div>
<noscript>
<style type="text/css">
#form-submit-save {
display: none;
}
</style>
<input name="submit" type="submit" id="submit-alt" tabindex="6" value="Submit Comment">
</noscript>
<p style="display: none !important;"><label>Δ<textarea name="ak_hp_textarea" cols="45" rows="8" maxlength="100"></textarea></label><input type="hidden" id="ak_js_2" name="ak_js" value="1654041695092">
<script>
document.getElementById("ak_js_2").setAttribute("value", (new Date()).getTime());
</script>
</p>
</form>GET https://threatpost.com/
<form class="c-site-search__form" role="search" method="get" action="https://threatpost.com/">
<input type="text" class="c-site-search__field" name="s" placeholder="Search">
<button type="submit" class="c-button c-button--secondary c-button--smaller c-site-search__button" value="Search"><svg class="icon fill">
<use xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://threatpost.com/wp-content/themes/threatpost-2018/assets/sprite/icons.svg#icon-search"></use>
</svg> Search</button>
<div class="c-site-search__overlay"></div>
</form>Text Content
Newsletter
SUBSCRIBE TO OUR THREATPOST TODAY NEWSLETTER
Join thousands of people who receive the latest breaking cybersecurity news
every day.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn
Park, Woburn, MA 01801. Detailed information on the processing of personal data
can be found in the privacy policy. In addition, you will find them in the
message confirming the subscription to the newsletter.
* Your name
* Your e-mail address*
*
* *
* I agree to my personal data being stored and used to receive the
newsletter
* *
* I agree to accept information and occasional commercial offers from
Threatpost partners
* Name
This field is for validation purposes and should be left unchanged.
Δ
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn
Park, Woburn, MA 01801. Detailed information on the processing of personal data
can be found in the privacy policy. In addition, you will find them in the
message confirming the subscription to the newsletter.
Threatpost
* Podcasts
* Malware
* Vulnerabilities
* InfoSec Insiders
* Webinars
*
*
*
*
*
*
*
Search
* Zero-Day ‘Follina’ Bug Lays Microsoft Office Open to AttackPrevious article
* EnemyBot Malware Targets Web Servers, CMS Tools and Android OSNext article
CHROMELOADER BROWSER HIJACKER PROVIDES GATEWAY TO BIGGER THREATS
Author: Elizabeth Montalbano
May 31, 2022 7:38 am
3 minute read
Write a comment
Share this article:
*
*
The malvertiser’s use of PowerShell could push it beyond its basic capabilities
to spread ransomware, spyware or steal data from browser sessions, researchers
warn.
ChromeLoader may seem on the surface like a run-of-the-mill browser hijacker
that merely redirects victims to advertisement websites. However, its use of
PowerShell could pose a greater risk by leading to further and advanced
malicious activity, such as the propagation of ransomware or spyware or theft of
browser-session data.
Researchers are warning of the potential for ChromeLoader—which has seen a
resurgence in activity recently—to pose a more sophisticated threat than typical
malvertisers do, according to two separate blog posts by Malwarebytes Labs and
Red Canary.
ChromeLoader is a pervasive and persistent browser hijacker that eventually
manifests as a browser extension, modifying victims’ Chrome settings and
redirecting user traffic to advertisement websites. On Windows machines, victims
become infected with the malware through ISO files that poses as a cracked video
game or pirated films or TV programs, researchers said.
However, ChromeLoader is platform agnostic, which means users of macOS also are
at risk from infection, according to a blog post from Malwarebytes Lead Malware
Intelligence Analyst Christopher Boyd. However, instead of lurking in ISO files,
attackers use DMG (Apple Disk Image) files, a more common macOS format, to hide
ChromeLoader, he said.
While its core functionality is fairly benign, ChromeLoader has a unique feature
in that it uses PowerShell to inject itself into the browser and add a malicious
extension to it—”a technique we don’t see very often (and one that often goes
undetected by other security tools),” warned Aedan Russell from Red Canary’s
Detection Engineering team in a blog post.
“If applied to a higher-impact threat—such as a credential harvester or
spyware—this PowerShell behavior could help malware gain an initial foothold and
go undetected before performing more overtly malicious activity, like
exfiltrating data from a user’s browser sessions,” he wrote.
THE INFECTION PROCESS
ChromeLoader lurks in bogus files that are promoted on Twitter and through other
services, or found on rogue and torrent sites offering pirated video games and
other media for free download, researchers said.
“Some social media posts promote supposedly cracked Android games via QR codes
which direct would-be gamers to rogue websites,” Boyd explained.
Double clicking the ISO file mounts it as a virtual CD-ROM, with the ISO’s
executable claiming to be the content that the victim originally was looking
for, he wrote.
“Within this ISO is an executable used to install ChromeLoader, along with what
appears to be a .NET wrapper for the Windows Task Scheduler,” according to Red
Canary’s Russell. “This is how ChromeLoader maintains its persistence on the
victim’s machine later in the intrusion chain.”
Once installed, ChromeLoader uses a PowerShell command to load in a Chrome
extension from a remote resource. PowerShell then removes the scheduled task so
the victim has no idea that their browser has been compromised, Boyd said.
“At this point, search results cannot be trusted and bogus entries will be
displayed to the user,” he wrote.
ChromeLoader uses the same bait—pirated videos or cracked games—to lure macOS
users, but the infection process is a bit different, Russell explained. On macOS
machines, ChromeLoader uses aDMG file that contains an installer script that can
drop payloads for either Chrome or Safari instead of a portable executable file.
“When executed by the end user, the installer script then initiates cURL to
retrieve a ZIP file containing the malicious browser extension and unzips it
within the private/var/tmp directory, finally executing Chrome with command-line
options to load the malicious extension,” he wrote.
MITIGATION AND DETECTION
Researchers offered mitigation advice as well as both user- and
administrator-level ways to detect if a system has been infected with
ChromeLoader.
One obvious tip is to avoid downloading pirated software or videos, which Boyd
warned “is a very risky business,” not to mention illegal.
“If you’re downloading a torrent, you may well be rolling dice with regard to
the digital health of your devices,” he wrote.
Users also can click on the “More” icon, then “More Tools -> Extensions” from
the drop-down list in Chrome to see everything that’s installed, active or
disabled, along with additional information about all extensions present. From
there is anything looks dodgy, Google offers steps to reset browser settings or
clean things up, he said.
Red Canary offered more advanced detection tactics based on ChromeLoader’s use
of PowerShell to find out if a browser has been infected.
One is to search for PowerShell containing a shortened version of the
encodedCommand flag in its command line, which can find the execution of encoded
PowerShell commands. Another is to looks for instances of the Chrome browser
executable spawning from PowerShell with a corresponding command line that
includes appdata\local as a parameter.
In macOS, security administrators can search forsh or bash scripts running in
macOS environments with command lines associated with the macOS variant of
ChromeLoader, as well as the execution of encoded sh, bash, or zsh commands on
macOS endpoints to know if a browser has been infected.
Write a comment
Share this article:
* Vulnerabilities
* Web Security
SUGGESTED ARTICLES
ZERO-DAY ‘FOLLINA’ BUG LAYS MICROSOFT OFFICE OPEN TO ATTACK
Malware loads itself from remote servers and bypasses Microsoft’s Defender AV
scanner, according to reports.
May 30, 2022
CRITICAL FLAWS IN POPULAR ICS PLATFORM CAN TRIGGER RCE
Cisco Talos discovered eight vulnerabilities in the Open Automation Software,
two of them critical, that pose risk for critical infrastructure networks.
May 27, 2022
ZOOM PATCHES ‘ZERO-CLICK’ RCE BUG
The Google Project Zero researcher found a bug in XML parsing on the Zoom client
and server.
May 25, 2022
DISCUSSION
LEAVE A COMMENT CANCEL REPLY
Δ
This site uses Akismet to reduce spam. Learn how your comment data is processed.
INFOSEC INSIDER
* ZERO TRUST FOR DATA HELPS ENTERPRISES DETECT, RESPOND AND RECOVER FROM
BREACHES
May 23, 2022
* CLOSING THE GAP BETWEEN APPLICATION SECURITY AND OBSERVABILITY
May 20, 2022
* YOU CAN’T ELIMINATE CYBERATTACKS, SO FOCUS ON REDUCING THE BLAST RADIUS
May 12, 2022
* CANS REINVENT LANS FOR AN ALL-LOCAL WORLD
May 5, 2022
1
* BAD ACTORS ARE MAXIMIZING REMOTE EVERYTHING
May 2, 2022
Newsletter
SUBSCRIBE TO THREATPOST TODAY
Join thousands of people who receive the latest breaking cybersecurity news
every day.
Subscribe now
Twitter
Malware borrows generously from code used by other botnets such as Mirai, Qbot
and Zbot. https://t.co/Xw5IbEQD6o
3 hours ago
Follow @threatpost
NEXT 00:02 01:23 360p 720p HD 1080p HD Auto (360p) About Connatix V164533 Closed
Captions About Connatix V164533
1/1 Skip Ad Continue watching after the ad Visit Advertiser websiteGO TO PAGE
SUBSCRIBE TO OUR NEWSLETTER, THREATPOST TODAY!
Get the latest breaking news delivered daily to your inbox.
Subscribe now
Threatpost
The First Stop For Security News
* Home
* About Us
* Contact Us
* Advertise With Us
* RSS Feeds
* Copyright © 2022 Threatpost
* Privacy Policy
* Terms and Conditions
* Advertise
*
*
*
*
*
*
*
TOPICS
* Black Hat
* Breaking News
* Cloud Security
* Critical Infrastructure
* Cryptography
* Facebook
* Government
* Hacks
* IoT
* Malware
* Mobile Security
* Podcasts
* Privacy
* RSAC
* Security Analyst Summit
* Videos
* Vulnerabilities
* Web Security
Threatpost
*
*
*
*
*
*
*
TOPICS
* Cloud Security
* Malware
* Vulnerabilities
* Privacy
Show all
* Black Hat
* Critical Infrastructure
* Cryptography
* Facebook
* Featured
* Government
* Hacks
* IoT
* Mobile Security
* Podcasts
* RSAC
* Security Analyst Summit
* Slideshow
* Videos
* Web Security
AUTHORS
* Elizabeth Montalbano
* Nate Nelson
THREATPOST
* Home
* About Us
* Contact Us
* Advertise With Us
* RSS Feeds
Search
*
*
*
*
*
*
*
InfoSec Insider
INFOSEC INSIDER POST
Infosec Insider content is written by a trusted community of Threatpost
cybersecurity subject matter experts. Each contribution has a goal of bringing a
unique voice to important cybersecurity topics. Content strives to be of the
highest quality, objective and non-commercial.
Sponsored
SPONSORED CONTENT
Sponsored Content is paid for by an advertiser. Sponsored content is written and
edited by members of our sponsor community. This content creates an opportunity
for a sponsor to provide insight and commentary from their point-of-view
directly to the Threatpost audience. The Threatpost editorial team does not
participate in the writing or editing of Sponsored Content.
We use cookies to make your experience of our websites better. By using and
further navigating this website you accept this. Detailed information about the
use of cookies on this website is available by clicking on more information.
ACCEPT AND CLOSE
Notifications