Skip links

ChromeLoader, what took you so long? Malvertising irritant now slings ransomware

ChromeLoader – the malware that exploded onto the scene this year by hijacking browsers to redirect users to pages of ads – is apparently evolving into a more significant threat by deploying malicious payloads that go beyond malvertising.

Variants of the software nasty have been seen dropping ransomware on Windows PCs and Macs, according to researchers at VMware’s Carbon Black Managed Detection and Response (MDR) team. The unit’s report this week about the rapidly growing number of more dangerous ChromeLoader variants dovetails with what other cybersecurity researchers have detected.

It also comes on the heels of a warning from Microsoft late last week about a click-fraud campaign by a threat group called DEV-0796 and likely using ChromeLoader to infect victims’ computers with malware.

The Windows port of ChromeLoader is typically delivered in ISO image files that marks are tricked into downloading, opening, and running the contents of – these ISO files are purported to be installation media for sought-after applications, such as cracked games and software suites. In reality, the image files contain an executable that schedules a PowerShell script that brings up ChromeLoader proper.

This multi-stage malware, once running, hijacks the browser and redirects the user to advertising sites, allowing cybercriminals to generate revenue from the ad views and clicks. Crucially, the malware can be customized, allowing extra features to be added – such as credential harvesting from web sessions, and surveillance of a user’s online activities – or more stuff to be brought onto the computer, such as ransomware and spyware. These can be downloaded separately or included in the image file.

“Although this sort of malware is created with an intent to feed adware to the user, ChromeLoader also increases the attack surface of an infected system,” VMware’s MDR team wrote in its report. “This can eventually lead to much more devastating attacks such as ransomware.”

As you can tell from the name, ChromeLoader targets Google’s browser. It works by installing a malicious browser extension that does the job of redirecting traffic and so on. The first Windows variants of ChromeLoader were spotted in the wild in January 2022 and a macOS port in March.

The growing use of ISO files partly is in reaction to Microsoft blocking Office macros by default this year.

Interestingly, Palo Alto Network’s Unit 42 threat intelligence group in a report in July said it clocked a variant of ChromeLoader that was built using the AutoHotKey scripting tool, and distributed as an AHK file, as opposed to an ISO. Mac versions were pushed as DMG files. The researchers said they had seen updates and changes to the software nasty, too.

“The browser extension serves as adware and an infostealer, leaking all of the user’s search engine queries,” Unit 42 noted. “We discovered significant changes and additions of capabilities throughout this campaign’s evolution, and we predict further changes as this campaign continues.”

A punch in the nodes

In a series of tweets, researchers in the Microsoft Security Intelligence unit said they were tracking an “ongoing wide-ranging click fraud campaign where attackers monetize clicks generated by a browser node-webkit or malicious browser extension secretly installed on devices.”

The infection begins with an ISO file that is downloaded when a user clicks on a link in a YouTube comment or hits a malicious ad. The ISO file, when opened and its contents run, executes node-webkit – a desktop web app powered by Chromium – that is set up to, presumably, load ads and click on them to generate revenue, or installs a browser extension that does the same sort of thing. The miscreants behind it are also slinging DMG files to target Mac users. This is linked to DEV-0796, and is probably using ChromeLoader.

VMware has traced at least 10 variants of ChromeLoader. Among them are versions that impersonate legitimate programs, such as OpenSubtitles (which helps users find subtitles for movies and TV shows) and FLB Music (a cross platform for playing music), and that drop malware to maintain persistence on a machine and for viewing the user’s communications.

Other variants can bring in more annoying or damaging payloads. We’re told attackers have used ChromeLoader to download and drop ZipBombs onto infected systems. If the user opens one of these, the archive expands to fill the computer’s file system with data, overwhelming it.

Another payload unleashed by ChromeLoader is the Enigma ransomware, which has been around for several years and is still active, we’re told.

The VMware team said it considers ChromeLoader “pesky adware.” Given the evolution in the malware in recent months, it’s expected that miscreants will continue to make use of it. Of the more than 50 VMware customers that have been infected by this thing, most were in the business services industry, followed by the government and education sectors.

“As we’ve seen in previous Chromeloader infections, this campaign widely leverages powershell.exe and is likely to lead to more sophisticated attacks,” the team – Abe Schneider, Bethany Hardin, and Lavine Oluoch – wrote, adding that “this is an emerging threat that needs to be tracked and taken seriously due to its potential for delivering more nefarious malware.”

Adware in the past has been “waved off as just being a nuisance malware,” the researchers wrote. “However because of this, malware authors are able to take advantage and use it for wider attacks like Enigma ransomware.” ®