Malware has been discovered that installs a malicious extension on browsers. The malware is called ChromeLoader. Two variants of ChromeLoader have been detected at this time. One is aimed at Windows and another at MacOS.
The malware spreads by being distributed as an ISO file that looks like, for example, a torrent or “cracked” game. It is distributed through social media channels, such as Twitter, in the form of QR codes, as well as downloading pirated movies, games, and fake cracks for paid software. ChromeLoader hijacks the browser, modifies its settings, and redirects search engines, filling result pages with ads that may lead to deceptive or malicious pages and other unwanted programs.
Once extracted, the ISO file is mounted as a disk on the victim’s computer. Within this ISO, an executable file is used to install ChromeLoader. A PowerShell script creates a task called “ChromeTask” (although it may vary), which is scheduled to run every ten minutes. The PowerShell script also downloads the malicious Google Chrome browser extension ‘archive.zip’. Some users reported that their Chrome browsers are constantly shutting themselves down as a result of this task.
PowerShell-script (via red canary)
Researchers at G-Data wrote a blog post about ChromeLoader back in February. The company named the malware Choziosi Loader, and it also talked about using the Powershell script. Malware researcher Colin Cowie wrote about the MacOS variant in April.
Look on the support page of Google Chrome how to manage and possibly remove extensions. The same can be found on Apple’s support page.
Sources: The Register, Bleepingcomputer, red canary
« Previous post Next post »