New ChromeLoader Malware Hijack Chrome Browser to Steal Credentials

In Cybersecurity News - Original News Source is by Blog Writer

Post Sharing
There is a malicious Chrome browser extension known as ChromeLoader that classified as a pervasive browser hijacker caught that modifies the browser settings to redirect users’ traffic to a malicious websites and stealing credentials..

After first surfacing in January of this year, ChromeLoader has developed rapidly. The malware has now evolved a wide range of malicious variants that were discovered in the wild in the last several months.

As a result of this malware, the user’s traffic can be redirected, and user search queries can be hijacked from popular search engines to trick them into paying for ads:-

  • Google
  • Yahoo
  • Bing

Additionally, the malicious code can also inject itself into the browser and add an extension to it by using PowerShell.

Technical Analysis

The development of ChromeLoader malware involves multiple stages and this malware is primarily designed with the purpose of targeting web browsers. While the early versions of malware focused their efforts on the compromise of credentials and accounts for the most part.

According to the report, The malware has been evolving in recent years into a more stealthy interpretation that has become harder to detect, as well as more sophisticated.

Additionally, it is also equipped with a number of methods for engaging in fraud and redirecting adware to a brand’s website in order to manipulate its traffic.

There are numerous different variants of this malware that target both macOS and Windows systems. The threat actors who are behind the malware use a variety of system-level infection vectors in order to spread infection and increase its spread.

However, the secondary and tertiary consequences of infection can make the malware so harmful, even though the malware’s abilities can cause considerable collateral damage.

In March 2022, the ChromeLoader malware began distributing itself to Mac users, directing them to an infected pay-per-download website to infect them with the malware.

It is apparent that the scheduled PowerShell script and the bash script share many similarities. As soon as it downloads the payload, it loads it into the target’s browser.

Who is Affected?

ChromeLoader seems to have vague targets in mind and often relies on a lack of cybersecurity awareness to explain its existence.

As a result of the sheer scale of its malware campaigns, there has also been a report that the malware has also appeared on corporate systems.

It is also due to the fact that, since it is an attack vector that utilizes unconventional methods, it is less likely to be able to use the traditional Windows Portable Executable.

In terms of compromises and areas of focus, the following were noted:-

  • Education
  • Civil Service
  • Financial

Mitigations recommended

However, there are some mitigation tips that the experts have suggested. Thus follow the steps that have been mentioned below.

  • File Hashing – It is possible to block/quarantine this malware if it appears on a device by deploying a hashing detection.
  • File Content Rules – YARA is a powerful mechanism for determining whether a file is malicious by searching the contents of the file using pattern matching.
  • System Configuration Permissions – By restricting access to a system to a specified group of users, malware and ChromeLoader persistence could be prevented.
  • Executable Denylist – This prevents the ChromeLoader from executing PowerShell/JavaScript on specific user devices.

URL Analysis – It is possible to prevent the initial infection by preventing users from visiting malicious URLs.