Chromeloader malware assaults are commonplace, say VMware and Microsoft.
A persistent, pervasive Chromeloader malware campaign that has become a more significant threat—dropping malicious browser add-ons, node-WebKit malware, and even ransomware in certain cases—is being warned about by VMware and Microsoft.
Researchers at Red Canary warned about the risks of the browser hijacker used for marketing association and advertising fraud as Chromeloader infections spiked in Q1 2022.
At the time, the malware installed a malicious extension on Chrome that steered user traffic to advertising websites in order to engage in click fraud and earn money for the threat actors.
A few months later, Palo Alto Network’s Unit 42 found that Chromeloader was changing into an info-stealer and attempted to steal data from the browsers while still functioning as adware.
Microsoft issued a warning on Friday night regarding a “ongoing widespread click fraud activity” that has been linked to a threat actor identified as DEV-0796 who uses Chromeloader to infect victims with various viruses.
Today, analysts at VMware published a technical report describing different variants of Chromeloader that were used in August and this month, some of which are dropping much more potent payloads.
malware dropping in new versions
Through malicious advertising, browser redirects, and YouTube video comments, the ChromeLoader virus is transmitted in ISO files.
Since Microsoft started by default restricting Office macros, ISO files have grown to be a common way to deliver malware. Furthermore, when double-clicking on an ISO in Windows 10 and later, they are automatically mounted as a CDROM under a new drive letter, making them an efficient way to distribute multiple malware files at once.
Four files are frequently seen in ChromeLoader ISOs: an ICON file, a batch file (often called Resources.bat) that instals the malware, and a Windows shortcut that runs the batch programme.
Since the beginning of the year, VMware has examined at least ten different Chromeloader variations for their research, with the most intriguing versions emerging after August.
The first instance is a programme that imitates OpenSubtitles, a tool that assists users in finding subtitles for films and television programmes. In this campaign, the threat actors substituted a file called “properties.bat,” which is used to install the malware and establish persistence by adding Registry keys, for their normal “Resources.bat” file.
An additional noteworthy instance is “Flbmusic.exe,” which imitates the FLB Music player and has an Electron runtime that enables the malware to load extra modules for network connection and port eavesdropping.
Some variations of the attacks took a more devastating turn, extracting ZipBombs that overburden the system with a prodigious unpacking procedure.
“ZipBombs have been observed being dropped onto compromised systems as recently as late August. When a user downloads an archive, the ZipBomb is also dropped along with the first infection. The ZipBomb cannot be launched unless the user double-clicks. Once activated, the virus overwhelms the user’s system with data, causing it to crash “explains the report from VMware.
Even more worrisome, current Chromeloader variants have been discovered encrypting files with the Enigma ransomware.
After the files have been encrypted, the ransomware adds the “.enigma” filename extension and dumps a “readme.txt” file with instructions for the victims.
Adware should not be disregarded.
Adware is typically a problem that analysts ignore or minimise because it doesn’t do any harm to victims’ systems beyond using up some bandwidth.
However, since its creators may make updates that enable more aggressive monetization possibilities, every piece of malware that slips into systems undetected is a prospect for bigger problems.
Chromeloader began as adware, but it is the ideal illustration of how threat actors are experimenting with increasingly powerful payloads and looking for more lucrative alternatives to advertising fraud.