This nasty browser-hijacking malware is becoming a serious threat

ChromeLoader’s distribution is picking up

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

The distribution of the ChromeLoadermalwarehas spiked in recent months, turning a relative nuisance into a full-blown threat.

Researchers from Red Canary have been tracking the malware for the past five months, and claim the threat has risen significantly.

According to the research, the attackers are targeting both Windows and macOS users, distributing the malware via torrent files masquerading as cracks for software and games.

They’re also using social media sites, such as Twitter, to promote the torrent links, sharing QR codes leading to the sites that host the malware.

ChromeLoader malware

The goal is to have the victims download the files themselves. For Windows targets, the files come in an .ISO archive which, when mounted with a virtual CD-ROM drive, displays an executive file posing as a crack or a keygen. Researchers are saying that its most likely filename is “CS_Installer.exe”.

Once the victim runs the file, it executes and decodes a PowerShell command that pulls an archive from theserver, and loads it as an extension for theGoogleChromebrowser. After that, PowerShell removes the scheduled task, leaving no traces of its presence.

How to beat a browser hijacker>Fake streaming sites were the biggest threat of the Tokyo Olympics>This WordPress vulnerability could let hackers hijack your entire site

The methodology for macOS is somewhat different; instead of an ISO, the attackers use DMG files, which are more common on the platform. It also swaps the installer executable for an installer bash script that downloads and decompresses the extension into “private/var/tmp”.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

ChromeLoader is described as a browser hijacker that can tweak browser settings on the targetendpoint, making it show modified search results. By showing fake giveaways, dating sites, or unwanted third-party software, the threat actors earn commission in affiliate programs.

What makes ChromeLoader stand out in a sea of similar browser hijackers is its persistence, volume and infection route, the researchers said.

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

This new phishing strategy utilizes GitHub comments to distribute malware

Should your VPN always be on?

NYT Strands today — hints, answers and spangram for Sunday, November 10 (game #252)