Since early February, Red Canary researchers have been monitoring malware that infects the browsers of its victims and infects their browsing.
But in recent days, it seems that this virus has become more active and poses a growing danger to all Chrome users.
The virus, or as it’s called ChromeLoader,
spreads in ISO files masquerading as cracked video games or pirated movies and TV shows.
One of the vectors of the infection is the posts on Twitter offering cracked Android games and asking users to scan a QR code to get them.
If the person scans the code,
they will be redirected to a malicious site containing a malicious ISO file.
Once the ISO is installed, an executable file appears that pretends to be a game hack,
which is actually a program that installs ChromeLoader as an extension for Chrome.
Once installed, it takes care of tweaking Chrome settings and if the user tries to search,
the results will show them sites with unwanted software, fake surveys, or adult sites.
Thus, malware authors earn money thanks to the ad revenue generated by this redirect.
As the researchers at Red Canary note, this behavior is very common for malware of this type and is not generally considered very dangerous.
However, what sets ChromeLoader apart from the others is its use of PowerShell to insert itself into the browser and install the extension,
an unusual technology they say sometimes goes undetected by security software.
If applied to a higher-impact threat — such as credential-gathering malware or spyware —
this behavior of PowerShell could help it gain initial access and not be detected until it performs more malicious activities, such as extracting data from user browser sessions.
To avoid uninstallation, ChromeLoader aggressively redirects users as soon as they try to access the extensions management page.
But Windows users are not the only ones threatened by ChromeLoader.
Those on macOS are targeted as well, with a variant capable of installing malicious extensions on both Chrome and Safari.
The infection and behavior of the malware are similar to the Windows version,
except that the DMG format for files is used instead of the ISO format.
Source: BleepingComputer / The Hacker News