A malvertising threat has seen a new rise in activity since its discovery earlier this year. According to a new report, Aedan Russell of Red Canary stated that the malware is a “pervasive and persistent browser hijacker that modifies its victims’ browser settings and redirects user traffic to advertisement websites.”
ChromeLoader is a malicious Chrome browser plugin generally delivered as ISO files through pay-per-install sites and baited social media posts that promote QR codes for cracked pirated movies and video games.
While it mainly works by routing traffic to an advertising site by hijacking user search queries to Google, Bing, and Yahoo, it’s also famous for its ability to use PowerShell to inject itself into the browser and get the extension installed. The malware, also known as Choziosi Loader, was initially discovered in February by G DATA.
“For now the only purpose is getting revenue via unsolicited advertisements and search engine hijacking,” G DATA’s Karsten Hahn stated. “But loaders often do not stick to one payload in the long run and malware authors improve their projects over time.”
ChromeLoader also has the ability to reroute victims away from the Chrome extensions website (“chrome:/extensions”) if they try to uninstall the add-on. Researchers have also discovered a macOS variant of ChromeLoader that works with both Chrome and Safari browsers, thereby making it a cross-platform threat.
According to Russell, this PowerShell behavior might let malware get an early footing and go unnoticed before doing more openly malicious activities, such as exfiltrating data from a user’s browser sessions, if applied to a higher-impact threat, such as a credential harvester or spyware.