ChromeLoader

The ChromeLoader app has been classified as a browser hijacker. As such, its goal is to take control over several important Web browser settings to generate artificial traffic toward promoted pages or deliver unwanted and untrustworthy advertisements to the system. Advertisements associated with browser hijackers, adware, or other PUPs (Potentially Unwanted Programs) often promote intrusive software products, hoax websites, fake giveaways, phishing portals, suspicious adult games or adult-oriented sites.

While ChromeLoader possesses all of these typical browser hijacker capabilities, it also is equipped with some standout features. Details about the application were revealed to the public in a report by the cybersecurity researchers at Red Canary. According to their findings, ChromeLoader shows extensive use of PowerShell.

Infection Vector

The application is spread as a corrupted ISO archive. This ISO file is disguised as a cracked executable for popular video games or commercial software. It is highly likely that users who visit sites spreading cracked versions of such products, probably downloaded the ChromeLoader's file themselves.

When executed, the ISO file will be mounted on the system as a virtual CD-ROM drive. To maintain the illusion that it belongs to the expected cracked software or game, the file contains an executable with a name similar to 'CS_Installer.exe.' The next step in the attack chain involves executing a PowerShell command responsible for fetching a specific archive from a remote location. The archive will then be loaded onto the system as a Google Chrome extension. The final step uses PowerShell again, but this time to remove a previously created schedule task.

Mac Devices can be Impacted

The operators of ChromeLoader also have added the ability to compromise Apple's Safari browsers. The general flow of the infection remains the same, but the initial ISO file has been substituted with the more common on OS devices DMG (Apple Disk Image) file type. The macOS variant also utilizes a bash script to fetch and decompress the ChromeLoader extension. The browser hijacker will be dropped into the 'private/var/tmp' directory. To assure its persistence on the Mac, ChromeLoader adds a 'plist' file to the '/Library/LaunchAgents.'