A new browser hijacker/adware campaign named ChromeLoader also known as Choziosi Loader and ChromeBack was discovered. Despite using simple malicious advertisements, the malware became widespread, potentially leaking data from thousands of users and organizations.
ChromeLoader is a multi-stage malware family. Each variant contains different stages throughout its infection chain, including malicious browser extensions used in all variants.
Instead of more traditional malware like a Windows executable (.exe) or Dynamic Link Library (.dll), the malware authors used a browser extension as their final payload.
The browser extension serves as adware and an infostealer, leaking all of the user’s search engine queries. We discovered significant changes and additions of capabilities throughout this campaign’s evolution, and we predict further changes as this campaign continues.
Paloalto says, it made the investigation process significantly easier. Palo Alto Networks customers using Cortex XDR and WildFire receive protections against this newly discovered malware out of the box.
In fact, it improved the research ability so much that were able to detect two new versions of this malware – the first one and the latest, which have never been linked to this malware family before.