Security researchers have noticed that operators of the ChromeLoader browser hijacking and adware campaign now use VHD files named after popular games. Previously, these campaigns relied on an ISO-based distribution.

The malicious files were discovered by a member of the Ahnlab Security Emergency Response Center (A SECOND) via Google search results to queries for popular games

Google search results drive people to adware sites
Google search results linking to adware sites (A SECOND)

Some of the game titles abused for adware distribution purposes include Elden Ring, ROBLOX, Dark Souls 3, Red Dead Redemption 2, Need for Speed, Call of Duty, Portal 2, Minecraft, Legend of Zelda, Pokemon, Mario Kart , Animal Crossing and more.

Complete list of VHD files used in the latest ChromeLoader campaign
VHD files used in the latest ChromeLoader campaign (A SECOND)

A network of malvertising sites distributes malicious files, which appear as legitimate game-related packages, which install the ChromeLoader extension.

ChromeLoader hijacks browser searches to display ads. It also modifies browser settings and collects browser credentials and data.

According red canary data, the malware became more prevalent in May 2022. In September 2022, VMware reported new variants performing more sophisticated network activities. In some cases, the actor even delivered Enigma ransomware.

In all cases seen throughout 2022, ChromeLoader arrived on the target system as an ISO file. Lately, operators seem to prefer VHD packaging.

VHD files can be easily mounted on a Windows system and are supported by several virtualization software.

The images include several files, but only one of them, a shortcut called “Install.lnk”, is visible. Deploying the shortcut triggers the execution of a batch script that decompresses the contents of a ZIP archive.

Contents of VHD files
Contents of VHD files (A SECOND)

In the next step, the batch file executes “data.ini”, a VBScript and JavaScript that retrieves the final payload from a remote resource.

According to ASEC, ChromeLoader will start redirecting to advertising sites, thereby generating revenue for its operators.

The researchers say the addresses hosting the payload are no longer accessible. They note that the malicious Chrome extension created and executed by ChromeLoader can also collect credentials stored in the browser.

The ASEC report provides a brief set of Indicators of Compromise that can help detect the ChromeLoader threat.

Users are advised to avoid downloading games from unofficial sources and stay away from cracks for popular products as they usually pose a high security risk.


Source link