Distribution of novel Chromeloader variant facilitated by pirated content-hosting sites

Malicious websites hosting pirated movies, music, or video games have been leveraged to distribute the new variant of the ChromeLoader browser hijacker dubbed "Shampoo" since March, BleepingComputer reports. Obtaining free copyrighted content from the sites would result in the download of VBScripts that facilitate the execution of PowerShell scripts and the retrieval of the Shampoo Chrome extension, which has ad injection and search query redirection capabilities, a report from HP Wolf Security revealed. Installation of the extension would prevent Chrome extensions screen access, according to researchers. "Removing ChromeLoader Shampoo is not as simple as uninstalling a legitimate extension. The malware relies on looping scripts and a Windows scheduled task to reinstall the extension whenever the victim removes it or reboots their device," said researchers, who recommended the removal of scheduled tasks with "chrome_" prefixes and the "HKCUSoftwareMirage Utilities" registry key before rebooting the system in order to remove the malicious extension.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.