ChromeLoader Malware Hijacks Browsers With ISO Files
The malware’s abuse of PowerShell makes it more dangerous, allowing for more advanced attacks such as ransomware, fileless malware, and malicious code memory injections.
The browser-hijacking malware known as ChromeLoader is becoming increasingly widespread and growing in sophistication, according to two advisories released this week. It poses a big threat to business users.
ChromeLoader is a sophisticated malware that uses PowerShell, an automation and configuration management framework, to inject itself into the browser and add a malicious extension. This kind of threat drastically increases the attack surface, as today’s enterprises rely more on software-as-a-service (SaaS) apps amid flexible working environments and diverse endpoints.
“The browser is the front door to the Internet, and therefore the user’s first line of defense when they access SaaS applications,” Ohad Bobrov, Talon Cyber Security's CTO and co-founder, tells Dark Reading. “Attackers have identified the browser as an opportunity to steal remote information from SaaS applications, as well as create malicious extensions they can easily manipulate.”
In this case, the malware is using malicious optimal disc image (ISO) files — often hidden in cracked or pirated versions of software or games — to take over the browser and redirect it to display bogus search results in a malvertising scheme.
Both a MalwarebytesLabs advisory and a Red Canary warning point out that ChromeLoader’s abuse of PowerShell, combined with the use of ISO files, make ChromeLoader particularly aggressive.
“PowerShell, like any other advanced shell, can be used as an administration tool to automate tasks,” explains Mike Parkin, senior technical engineer at Vulcan Cyber, a provider of SaaS for enterprise cyber-risk remediation. “Admins use benign shell scripts for myriad tasks because they can be versatile and easily accessible on almost every platform.”
He points out that the use of an ISO file to carry the script, which then drops a malicious extension, is not a new technique, but it remains effective because ISOs are still commonly used in business settings. While this campaign is relying on a ruse of pirated software, ISOs are also important in network and system management and are used for installing packages on servers and containers. Linux is installed via ISO, as are some Windows upgrades.
Read more about:
Dark ReadingAbout the Author(s)
You May Also Like