VMware, Microsoft warn of widespread Chromeloader malware attacks


VMware and Microsoft are warning of an ongoing, widespread Chromeloader malware campaign that has evolved into a more menacing threat, seen in some cases dropping malicious browser extensions, node-webkit malware and even ransomware has gone.

chromeloader transition Q1 2022 . grew inResearchers at Red Canary have warned about the dangers of browser hijackers used for marketing affiliations and ad fraud.

Subsequently, the malware infected Chrome with a malicious extension that redirected user traffic to advertising sites to commit click fraud and generate income for threat actors.

A few months later, Unit 42 of Palo Alto Networks noticed that the chromeloader was Developing an Information StealerAttempts to snatch data stored on the browser while maintaining its adware functions.

on Friday evening, Microsoft warns About an “ongoing widespread click fraud campaign” attributed to a threat actor tracked as DEV-0796 using Chromeloader to infect victims with various malware.

chromeloader attack flow
chromeloader attack flow
Source: Microsoft

Today, analysts VMware In August and this month published a technical report describing the different types of chromeloaders used, some of which are dropping much more powerful payloads.

New variants leaving malware

ChromeLoader malware is distributed in ISO files that are distributed through malicious ads, browser redirects, and YouTube video comments.

iso files are Malware became a popular way to distribute since Microsoft begins blocking Office macros by default. In addition, when Windows 10 and later double-click on ISOs, they are automatically mounted as CDROMs under a new drive letter, making them an effective way to deliver multiple malware files at once. method is found.

Files included in the dropped ISO image
Files included in the ChromeLoader ISO archive

A ChromeLoader ISO typically consists of four files, a ZIP archive that contains the malware, an ICON file, a batch file (usually named Resources.bat) that installs the malware, and a Windows shortcut that launches the batch file.

As part of its research, VMware sampled at least ten chromeloader variants from the beginning of the year, with the most interesting appearing after August.

Chromeloader Types and Development Timeline
Chromeloader Development Timeline (VMware)

The first example is a program that mimics OpenSubtitles, a utility that helps users find subtitles for movies and TV shows. In this campaign, threat actors moved away from their usual “Resources.bat” file and switched to a file named “properties.bat”, which is used to install malware and establish persistence by manipulating registry keys. was done for

Another notable case is “Flbmusic.exe”, which mimics the FLB music player, features an Electron runtime and enables the malware to load additional modules for network communication and port snooping.

For some variants, the attacks became slightly disastrous, taking out zipbombs that overload the system with massive unpacking operations.

“As recently as late August, ZipBombs has been observed being dropped on infected systems. ZipBomb has been removed with the initial infection in a user-downloaded archive. The user has to double-click to run ZipBomb Once run, the malware destroys the user’s system by overloading it with data,” the VMware report states.

What’s more, recent Chromeloader variants have been seen deploying Enigma ransomware in an HTML file.

puzzle is one old ransomware strain Using a JavaScript-based installer and an embedded executable so that it can be launched directly from the default browser.

After encryption is complete, “puzzle“Filename extensions are appended to files, while ransomware leaves one”readme.txt“File containing instructions for victims.

Adware should not be ignored

Because adware does not cause significant damage to victims’ systems, other than eating up some bandwidth, it is usually a threat that is overlooked or minimized by analysts.

However, every software that nests into a system without being detected is a candidate for more significant trouble, as its authors may implement modifications that facilitate more aggressive monetization options.

While Chromeloader started out as adware, it’s a perfect example of how dangerous actors are experimenting with more powerful payloads, finding more profitable alternatives to ad fraud.

Be the first to comment

Leave a Reply

Your email address will not be published.