VMware And Microsoft Have Issued A Warning About Rampant Chromeloader Malware Attacks.

by | Mar 7, 2024

The malware known as ChromeLoader, which sprang onto the market this year by hijacking users’ browsers to lead them to pages of advertisements, is reportedly turning into a more serious danger by distributing harmful payloads that go beyond malvertising.

According to researchers from VMware’s Carbon Black Managed Detection and Response (MDR) team, variants of the nasty software have been seen launching ransomware on Windows PCs and Macs.

The ChromeLoader for Windows port usually comes in ISO image files whose flags are tricked into downloading, opening and running the content; These ISO files are intended to be installation media for desired applications such as pirated games and software bundles.

Basically, the malware can be customized, allowing for the addition of additional functionality, such as collecting credentials from web sessions and monitoring a user’s online activities, or more things to bring to the computer, such as ransomware and malware. “Although this type of malware is created with the intention of delivering adware to the user, ChromeLoader also increases the attack surface of an infected system,” VMware’s MDR team wrote in their report. Interestingly, the Palo Alto Network Unit 42 Threat Intelligence Group in a July report said it registered a variant of ChromeLoader created using the AutoHotKey scripting tool and distributed as an AHK file, rather than an ISO.

In a series of tweets, researchers from Microsoft’s security intelligence unit said they were monitoring an “ongoing, far-reaching campaign of click fraud in which attackers monetize clicks generated by a browser node webkit or” from a malicious browser extension secretly installed on devices “. The ISO file, when its content is opened and executed, launches node-webkit, a Chromium-based desktop web application, which is presumably set to load and click on ads to generate revenue, or installs an extension browser that does the same kind of thing. These include versions that pose as legitimate programs, such as OpenSubtitles (which helps users find subtitles for movies and TV shows) and FLB Music (a cross-platform music player), and which release malware to maintain persistence on a machine and to view user communications.

The VMware team said they consider ChromeLoader “annoying adware”. Given the evolution of malware in recent months, criminals are expected to continue using it. Of the more than 50 VMware customers who were infected with this, most were in the business services sector, followed by the government and education sectors.

Another payload unleashed by ChromeLoader is the Enigma ransomware, which has been around for several years and is still active. “As we have seen in previous Chromeloader infections, this campaign exploits powershell.exe extensively and is likely to lead to more sophisticated attacks,” wrote the team, comprising Abe Schneider, Bethany Hardin and Lavine Oluoch, adding that “this is a emerging threat that needs to be monitored and taken seriously due to its potential to deliver more nefarious malware. “

Since the adware creates no obvious damage to victims systems, other than consuming some of the bandwidth, it is usually a threat that analysts ignore or downplay.

However, any software that lurks in systems undetected is a candidate for bigger problems, as its authors can apply modifications that facilitate more aggressive monetization options. While Chromeloader started out as Adware, it’s a perfect example of how threat actors are experimenting with more powerful payloads, exploring more profitable alternatives to ad fraud.