Information-stealing malware known as ChromeLoader has been found to have evolved in a relatively short period of time, as evidenced by the discovery of new variants of the malware by researchers in the field of cybersecurity.
ChromeLoader was discovered in January 2022 and has been distributed in the form of ISO or DMG file downloads advertised via QR codes on Twitter and free gaming sites. Its primary purpose is to take over the browser searches of victims in order to display advertisements.
The larger cybersecurity community refers to ChromeLoader under the codenames Choziosi Loader and ChromeBack. ChromeLoader also goes by the name ChromeBack. The fact that the adware is constructed in the form of a browser extension, as opposed to a Windows executable file (.exe) or a Dynamic Link Library, is what makes it noteworthy (.dll).
Malvertising campaigns on pay-per-install websites and social media are typically used to trick unsuspecting users into downloading cracked video games or movie torrents. This is how the infections typically spread from computer to computer.
It is designed to capture users' search engine queries on Google, Yahoo, and Bing, effectively allowing the threat actors to harvest their online behavior. In addition to requesting invasive permissions to access browser data and manipulate web requests, it is also designed to capture users' search engine queries.
A macOS version of the ChromeLoader malware was discovered in March, whereas the first Windows variant of the malware was discovered in January. Both versions of the malware are designed to distribute a malicious Chrome extension (version 6.0) by way of questionable disk image files (DMG).
A new investigation carried out by Palo Alto Networks Unit 42 has revealed that the malware was used in an attack for the very first time in December 2021. This attack utilized an AutoHotKey-compiled executable in place of the ISO files that were later observed.
According to the researcher Nadav Barak of Unit 42, "This malware was an executable file written using AutoHotKey (AHK), which is a framework used for scripting automation." He also mentioned that it was used to drop "version 1.0" of the browser add-on.
It is also believed that this first version did not include any obfuscation capabilities. Obfuscation is a feature that has been added to subsequent versions of the malware in order to conceal both its intended purpose and its malicious code.
Also observed since March 2022 is a previously undocumented campaign that uses the 6.0 version of the Chrome extension and relies on an ISO image that contains a seemingly harmless Windows shortcut, but in reality acts as a conduit to launch a hidden file in the mounted image that deploys the malware. This campaign uses the Chrome extension to spread the infection.
"This malware demonstrates how determined cybercriminals and authors of malware can be: In a short time period, the authors of ChromeLoader released multiple different code versions, used multiple different programming frameworks, enhanced features, advanced obfuscators, fixed issues, and even added cross-OS support targeting both Windows and macOS," said Barak. "This malware demonstrates how determined cybercriminals and authors of malware can be."
Post a Comment
Your suggestions and comments are welcome