Cybersecurity researchers have uncovered new variants of the ChromeLoader information-stealing malware, highlighting its evolving feature set in a short span of time.
Primarily used for hijacking victims’ browser searches and presenting advertisements, ChromeLoader came to light in January 2022 and has been distributed in the form of ISO or DMG file downloads advertised via QR codes on Twitter and free gaming sites.
ChromeLoader has also been codenamed Choziosi Loader and ChromeBack by the broader cybersecurity community. What makes the adware notable is that it’s fashioned as a browser extension as opposed to a Windows executable (.exe) or Dynamic Link Library (.dll).
The infections typically work by enticing unsuspecting users into downloading movie torrents or cracked video games through malvertising campaigns on pay-per-install sites and social media.
Besides requesting invasive permissions to access browser data and manipulate web requests, it’s also designed to capture users’ search engine queries on Google, Yahoo, and Bing, effectively allowing the threat actors to harvest their online behavior.
While the first Windows variant of ChromeLoader malware was spotted in January, a macOS version of the malware emerged in March to distribute the rogue Chrome extension (version 6.0) through sketchy disk image (DMG) files.
But a new analysis from Palo Alto Networks Unit 42 indicates that the earliest known attack involving the malware occurred in December 2021 using an AutoHotKey-compiled executable in place of the later-observed ISO files.
“This malware was an executable file written using AutoHotKey (AHK) — a framework used for scripting automation,” Unit 42 researcher Nadav Barak said, adding it was used to drop “version 1.0” of the browser add-on.
This first version is also said to lack obfuscation capabilities, a feature that has been picked up in subsequent iterations of the malware to conceal its purpose and malicious code.
Also observed since March 2022 is a previously undocumented campaign using the 6.0 version of the Chrome extension and relies on an ISO image that contains a seemingly benign Windows shortcut, but, in reality, acts as a conduit to launch a hidden file in the mounted image which deploys the malware.
“This malware demonstrates how determined cybercriminals and malware authors can be: In a short time period, the authors of ChromeLoader released multiple different code versions, used multiple programming frameworks, enhanced features, advanced obfuscators, fixed issues, and even adding cross-OS support targeting both Windows and macOS,” Barak said.