VMware and Microsoft warn of an ongoing and widespread Chromeloader malware campaign that has morphed into a more dangerous threat, with the removal of malicious browser extensions, node-WebKit malware, and even ransomware in some case.

Chromeloader infections jumped in the first quarter of 2022with Red Canary researchers warning of the dangers of the browser hijacker used for affiliate marketing and ad fraud.

At the time, the malware infected Chrome with a malicious extension that redirected user traffic to advertising sites to perform click fraud and generate revenue for threat actors.

A few months later, Palo Alto Network Unit 42 noticed that Chromeloader was become an information thiefattempting to snatch data stored on browsers while retaining its adware functions.

Friday night, Microsoft has warned about an “ongoing large-scale click fraud campaign” attributed to a malicious actor tracked as DEV-0796 using Chromeloader to infect victims with various malware.

Today, analysts of vmware published a technical report describing different Chromeloader variants that were used in August and this month, some of which drop much more powerful payloads.

New variants dropping malware

ChromeLoader malware comes bundled in ISO files which are distributed via malicious ads, browser redirects and YouTube video comments.

ISO files have becoming a popular method for distributing malware since Microsoft has started blocking Office macros by default. Additionally, when you double-click an ISO in Windows 10 and later, they are automatically mounted as CD-ROMs under a new drive letter, making it an efficient way to distribute multiple malicious files at once. .

ChromeLoader ISOs typically contain four files, a ZIP archive containing the malware, an ICON file, a batch file (commonly called Resources.bat) that installs the malware, and a Windows shortcut that launches the batch file.

As part of their research, VMware sampled at least ten Chromeloader variants so far this year, with the most interesting appearing after August.

The first example is a program mimicking OpenSubtitles, a utility that helps users locate subtitles for movies and TV shows. In this campaign, threat actors moved away from their usual “Resources.bat” file and moved to a file named “properties.bat”, used to install malware and establish persistence by adding registry keys .

Another notable case is “Flbmusic.exe”, mimicking the FLB Music player, featuring an Electron runtime and allowing the malware to load additional modules for network communication and port snooping.

For some variants, the attacks got a bit destructive, mining ZipBombs that overload the system with a massive unboxing operation.

“As early as late August, ZipBombs have been seen dropping on infected systems. The ZipBomb is dropped with the initial infection in the archive that the user downloads. The user must double-click for the ZipBomb to run. Once executed, the malware destroys the user’s system by overloading it with data,” the VMware report explains.

More worryingly, recent Chromeloader variants have been seen deploying Enigma ransomware in an HTML file.

The riddle is a old ransomware strain using a JavaScript-based installer and an embedded executable so that it can be launched directly from the default browser.

After the encryption is complete, the “.enigma“filename extension is appended to files, while the ransomware drops a “readme.txt” file containing instructions for the victims.

Adware should not be ignored

Since adware does not cause noticeable damage to victim systems, apart from consuming bandwidth, it is usually an overlooked or downplayed threat by analysts.

However, any piece of software that embeds itself in systems undetected is a candidate for bigger problems, as its authors can apply modifications that facilitate more aggressive monetization options.

While Chromeloader started out as adware, it’s a perfect example of how threat actors are experimenting with more powerful payloads, exploring more profitable alternatives to ad fraud.