ChromeLoader Malware

Security analysts report on a resurgence in ChromeLoader activity. A browser hijacker dubbed ChromeLoader has been causing trouble since January 2022, affecting Windows and macOS users, Safari web browsers included. The malware operators spread it via ISO files claiming to offer pirated software, usually games. What the user actually gets is a stealthy browser extension. Once the browser is compromised, the results the user gets from search engines are not to be trusted. From now on, the victim is susceptible to undesirable marketing schemes, such as bogus “sure-fire lotteries”, software and dating platforms’ promotion campaigns, and adult content.

The adversaries behind ChromeLoader activity profit from a system of marketing affiliation, redirecting their target’s traffic to the websites that offer unsolicited content mentioned above.

Detect ChromeLoader Malware

For an efficient ChromeLoader malware detection, use the Sigma rules below developed by the talented member of SOC Prime Threat Bounty Program, Sohan G, to timely track a relevant suspicious activity within both Windows and macOS:

Suspicious ChromeLoader Execution by Loading of Extension with PowerShell (via cmdline)
Suspicious ChromeLoader Execution by Loading of Extension with sh or bash (via cmdline)

The detections are available for the 23 SIEM, EDR & XDR platforms, aligned with the latest MITRE ATT&CK® framework v.10, addressing the Execution tactic with Command and Scripting Interpreter (T1059; T1059.004; T1059.001) as the primary technique.

Get the edge over adversaries with thoroughly crafted detection content. Hit the View Detections button to discover new detection algorithms addressing the latest threats. Skilled threat hunters experienced with developing new and enhancing existing detection content would make a great asset to the Threat Bounty Program. Try it yourself to get support from the industry visionaries and get recurring rewards for your input. Get the most out of threat hunting with SOC Prime!

View Detections Join Threat Bounty

ChromeLoader Malware Analysis

The outset of the ChromeLoader malware distribution was detected in January 2022. Red Canary and G-Data have been researching the issue, sharing their valuable insights. Interestingly, G-Data analysts opted to refer to this malware piece as a Choziosi loader. According to their findings, ChromeLoader is distributed via a malvertising campaign run on social media platforms. Usually mimicking a game, movie, or program that was cracked and is now available for free, threat actors spread a weaponized ISO archive file. On Twitter, for example, adversaries spread memes with scannable QR codes that lead to a ChromeLoader-hosting site.

Once the user double clicks on the downloaded malicious ISO file, the pandora box is open. The executable the victim gets utilizes a PowerShell command to fetch a Chrome extension that later leeches off the browser undetected. The victim also gets a .NET wrapper for the Windows Task Scheduler that is responsible for maintaining malware persistence in the compromised environment. ChromeLoader is a browser hijacker that is designed to tweak browser settings, so the victim’s browser search queries to Google, Yahoo, and Bing are altered. Search engines now redirect traffic to unsolicited advertising sites.

If you are looking for time-tested approaches to fending off damage caused by hackers and augmenting your company’s security ecosystem, opt for solutions offered by security leaders at SOC Prime. Drive better and timely detection and increase the efficiency of your SOC operations with our tried-and-true detection solutions.

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts