While initially thought of as a credential-stealing browser hijacker, researchers have found that ChromeLoader has been seen in its newest variants to deliver more malicious malware and used for other nefarious purposes.
In a Monday blog post, VMware researchers reported that as recent as late August, ZipBombs have been seen being dropped onto infected systems. A ZipBomb gets dropped with the initial infection in the archive the user downloads and the user must double-click for the ZipBomb to run. The researchers said once run, the malware destroys the user’s system by overloading it with data.
The VMware researchers first observed the Windows variants of ChromeLoader in the wild in January 2022 and the macOS version in March 2022. The researchers said there are some variants known to ChromeLoader, including ChromeBack and Choziosi Loader. Unit 42 researchers found evidence of The Real First Windows Variant using the AutoHotKey (AHK) tool to compile a malicious executable and drop version 1.0 of the malware.
Although this sort of malware gets created with an intent to feed adware to the user, the researchers also pointed out that ChromeLoader, a browser hijacker that manifests itself as a browser extension, increases the attack surface of an infected system, which can eventually lead to much more devastating attacks, such as ransomware.
Browser extensions are a tried-and-true method of attack, as compromising a user's browser can get leveraged by attackers in several ways as evidenced by ChromeLoader's capabilities, said Ryan Kennedy, cybersecurity consultant at nVisium.
Kennedy said the malware campaign is still ongoing and continues to present a threat beyond injecting ads into a user's browser. Attackers can leverage it to steal credentials, obtain users' browser history, and potentially take down their system.
“Security teams can protect their users by auditing what software users download, and managing users' browsers,” Kennedy said. “Ideally, users should be prevented from downloading untrusted browser extensions, especially those which request access to users' browsing history or other sensitive data in the browser.”
Timothy Morris, technology strategist at Tanium, added that browsers have become “endpoints” in their own right. As such, Morris said browser extensions are popular among malware developers.
“Users should inspect what extensions are in place and remove those that are not recognized or not used,” Morris said. “Only use those that are absolutely necessary and are trusted. As with all endpoints, make sure your security controls are present and working. Keep browsers up-to-date by patching as quickly as possible once available.”