A strain of Windows uses PowerShell to add a malicious extension to a victim’s Chrome browser for nefarious purposes. There is a macOS variant that uses Bash to achieve the same result and also targets Safari.
The creators of the nasty ChromeLoader software ensure that their malware is persistent once on a system and hard to find and remove, according to threat hunters at cybersecurity store Red Canary, who have been monitoring the strain since inception February and have seen a recent flurry of activity.
“We first encountered this threat after detecting coded PowerShell commands referring to a scheduled task called ‘ChromeLoader’ – and it wasn’t until later that we learned that we were catching ChromeLoader in the middle of its deployment” , wrote Aedan Russell, detection engineer at Red Canary, in a blog post this week.
The malicious extension injected by ChromeLoader is designed, once added to a victim’s browser, to redirect the user via online advertisements, triggering revenue for the malefactors. Windows ChromeLoader’s use of PowerShell to drop more malicious Chrome extensions is rare, says Russell The register.
“The developer of ChromeLoader has found an effective way to collect ad revenue by using a legitimate developer command line argument for Chrome,” he said.
“Loading a web browser extension via PowerShell (and doing it silently) shows a level of stealth above the norm, as other malicious browser extensions are usually introduced by tricking the user into installing them overtly, often masquerading as legitimate browser extensions.”
Red Canary isn’t the only threat intelligence group with access to ChromeLoader. G-Data CyberDefense researchers in February wrote a blog post about the malware, dubbing it the Choziosi Loader, which also discussed using the PowerShell script.
Additionally, threat researcher Colin Cowie wrote about the aforementioned ChromeLoader variant targeting Macs in April.
ChromeLoader gets initial access to a system by being distributed as an ISO file that looks like a torrent or a cracked video game. It is spreading via pay-per-install sites and social media networks like Twitter, according to Red Canary.
“Once downloaded and executed, the .ISO file is extracted and mounted as a drive on the victim’s machine,” Russell wrote of the Windows version. “Inside this ISO is an executable used to install ChromeLoader, as well as what appears to be a .NET wrapper for the Windows Task Scheduler. This is how ChromeLoader maintains its persistence on the victim’s machine later in the chain of intruding.”
Persistence is achieved through a scheduled task using the service host process, although the malware does not use Windows Task Scheduler to add the task.
“While it doesn’t use breakthrough techniques, ChromeLoader has found success in its stealthier persistence mechanisms,” Russell said. The register.
“It uses a scheduled task, but not using the native Windows task scheduler (schtasks.exe). Instead, ChromeLoader creates its scheduled task via an injection into the service host (svchost.exe), by using the functionality of an imported Task Scheduler COM API.”
Once the scheduled task runs PowerShell and loads the extension, it is silently removed with the PowerShell module invoking schtasks.exe and is often less frequently monitored as an anti-forensic technique, according to Russell.
“This is a new method of loading a malicious extension in Chrome that I have never seen before, nor observed by the Red Canary intelligence team in other software malicious,” he said.
“While other malicious actors could capitalize on this method, they still need to place a portable executable on the victim machine to ultimately use the payload extension PowerShell technique.”
While ChromeLoader used to use disguised ISO files to distribute it, many companies now monitor or block ISOs on the Internet, as they are popular ways to distribute other malware. If a bad actor determines that ChromeLoader’s method is effective in loading a malicious extension, they’ll likely use it, he said.
Additionally, due to its capabilities as a command and script interpreter, PowerShell will always be a top command execution method for threat actors.
“In the particular case of ChromeLoader, the overall impact appears to be relatively low since the malware has only been observed redirecting user traffic to spammy sites,” Russell said. “There are no known attempts by malicious actors to load malicious browser extensions using this PowerShell technique, outside of ChromeLoader.
“However, this technique is well documented and used quite often by developers.” ®