A strain of Windows uses PowerShell to add a malicious extension to a victim’s Chrome browser for nefarious purposes. A macOS variant exists that uses Bash to achieve the same and also targets Safari.
The makers of the ChromeLoader software nasty ensure their malware is persistent once on a system and is difficult to find and remove, according to threat hunters at cybersecurity shop Red Canary, who have been tracking the strain since early February and have seen a flurry of recent activity.
“We first encountered this threat after detecting encoded PowerShell commands referencing a scheduled task called ‘ChromeLoader’ – and only later learned that we were catching ChromeLoader in the middle stage of its deployment,” Aedan Russell, detection engineer at Red Canary, wrote in a blog post this week.
The malicious extension injected by ChromeLoader is designed, once added to a victim’s browser, to redirect the user through online adverts, triggering revenue for miscreants. The Windows ChromeLoader’s use of PowerShell to drop in more malicious Chrome extensions is uncommon, Russell told The Register.
“ChromeLoader’s developer has found an efficient means of collecting ad revenue by using a legitimate developer command line argument for Chrome,” he said.
“Loading a web browser extension via PowerShell (and doing so silently) shows a level of stealthiness above the norm as other malicious browser extensions are usually introduced by tricking the user into overtly installing them, often posing as legitimate browser extensions.”
Red Canary isn’t the only threat intelligence group to get onto ChromeLoader. Researchers at G-Data CyberDefense in February wrote a blog post about the malware, dubbing it Choziosi loader, that also talked about using the PowerShell script.
In addition, threat researcher Colin Cowie wrote about the aforementioned variant of ChromeLoader targeting Macs in April.
ChromeLoader gets initial access into a system by being distributed as an ISO file that looks like a torrent or a cracked video game. It is spread via pay-per-install sites and social media networks like Twitter, according to Red Canary.
“Once downloaded and executed, the .ISO file is extracted and mounted as a drive on the victim’s machine,” Russell wrote of the Windows version. “Within this ISO is an executable used to install ChromeLoader, along with what appears to be a .NET wrapper for the Windows Task Scheduler. This is how ChromeLoader maintains its persistence on the victim’s machine later in the intrusion chain.”
The persistence is gained through a scheduled task using the Service Host Process, though the malware does not use the Windows Task Scheduler to add the task.
“While not using groundbreaking techniques, ChromeLoader has found success in its stealthier persistence mechanisms,” Russell told The Register.
“It uses a scheduled task, but not by using the Windows native Task Scheduler (schtasks.exe) to do so. Instead, ChromeLoader creates its scheduled task via injection into the Service Host (svchost.exe), using functionality from an imported Task Scheduler COM API.”
Once the scheduled task executes PowerShell and loads the extension, it is silently removed with the PowerShell module invoke schtasks.exe and is often less frequently monitored as an anti-forensic technique, according to Russell.
“This is a novel method for loading a malicious extension into Chrome that I have not seen before, nor has it been observed by Red Canary’s intelligence team in other malware,” he said.
“While other bad actors could capitalize on this method, they still need to place a portable executable on the victim machine to ultimately use the load-extension PowerShell technique.”
While ChromeLoader used disguised ISO files to deliver it, many enterprises are now monitoring or blocking ISOs from the internet because they are popular ways to deliver other malware. If a bad actor determines that ChromeLoader’s method is effective for loading a malicious extension, they will likely use it, he said.
In addition, because of its capabilities as a command and scripting interpreter, PowerShell will always be a top command-execution method for threat actors.
“In the particular case of ChromeLoader, the overall impact appears to be relatively low since the malware has only been observed redirecting user traffic to spam sites,” Russell said. “There are no known attempts by threat actors to load malicious browser extensions using this PowerShell technique, outside of ChromeLoader.
“However, this technique is well documented and used by developers quite often.” ®