A novel ChromeLoader malware campaign that deviates from the ISO optical disc image format has been seen to be disseminated using virtual hard disk (VHD) files. Initially appearing in January 2022 as a browser-hijacking credential thief, ChromeLoader (also known as Choziosi Loader or ChromeBack) has since developed into a more sophisticated, multifaceted threat that is capable of stealing sensitive data, releasing ransomware, and even delivering decompression bombs.
“These VHD files are being distributed with filenames that make them appear like either hacks or cracks for Nintendo and Steam games,” AhnLab Security Emergency response Center (ASEC) said in last week’s report.
The malware’s main objective is to hijack web browsers like Google Chrome and change their settings so that traffic is intercepted and sent to questionable advertising websites. Additionally, ChromeLoader has become a tool for click fraud by using a browser extension to pay for clicks. The malware has undergone several iterations since it first appeared, many of which have the ability to access both Windows and macOS operating systems. Another indication that the campaign has undergone several adjustments over the past few months is the switch to VHD files.
The infection chain reveals that individuals looking for video game hacks and unlicensed software are the primary targets, which results in the download of VHD files from shady websites that show up on search result pages. Elden Ring, Mario Kart 8 Deluxe, Red Dead Redemption 2, Dark Souls III, Call of Duty, The Legend of Zelda: Breath of the Wild, Super Mario Odyssey, Need for Speed, Microsoft Office, and Adobe Photoshop are a few of the games and famous applications used.
According to ASEC researchers, when a VHD file is downloaded using this method, the user may easily mistake the malicious VHD file for a game-related application. Many threat actors use the technique of disguising malware as cracked software and game hacks. Users are advised to stay away from clicking on suspicious links and download software from legitimate sources only to reduce these risks.