The malware is designed to install malicious extension(s) onto browsers. Currently, two distinct variants of ChromeLoader have been detected – one targeting Windows Operating Systems and another – Mac Operating Systems.
ChromeLoader is a browser hijacker that modifies its victims’ browser settings and redirects user traffic to advertisement websites.
Once downloaded and executed, the .ISO file is extracted and mounted as a drive on the victim’s machine. Within this ISO is an executable used to install ChromeLoader.
An optimal disc image (ISO) is a disk image containing everything written to an optical disc. If someone copied a DVD or CD-ROM, they may end up with an ISO. With the right software, these files can be mounted and read as if the device was reading from a physical disc.
Finally , ChromeLoader makes use of a PowerShell command to load in a Chrome extension from a remote resource. PowerShell then removes the scheduled task and the victim is none the wiser that their browser has been compromised. At this point, search results cannot be trusted and bogus entries will be displayed to the user.
Using PowerShell and extensive obfuscation is uncommon for adware and browser hijackers, but it is standard for information-stealing programs, spyware, and other malware. However, it is not unlikely that ChromeLoader is still in development and will be updated with additional harmful functionalities. Regardless, ChromeLoader still poses significant threats in its current form.
As Bleeping Computer say, users of macOS are also at risk from this attack. Instead of ISO, attackers use DMG (Apple Disk Image) files, which is a more common format on that OS.
Recommendation to avoid malicious extension
- In Chrome, Click the More icon, then More Tools -> Extensions. From there, you can check what’s installed, what is active or disabled, along with additional information about all extensions present.
- Keeping your security software up to date and running regular scans helps prevent this kind of attack. Always run a scan for the downloaded file.