Malware has been discovered that installs a malicious extension on browsers. The malware is called ChromeLoader. Currently, two variants of ChromeLoader are detected. One is for Windows and the other is for MacOS.

The malware is spread by being distributed, for example, as a torrent or an ISO file that looks like a “cracked” game. It is distributed in the form of QR codes through social media channels such as Twitter, as well as downloading pirated movies, games and fake cracks for paid software. ChromeLoader hijacks the browser, changes its settings, and redirects search engines, filling results pages with ads that can lead to deceptive or malicious pages and other unwanted programs.

Once extracted, the ISO file is mounted as a disk on the victim’s computer. Within this ISO, an executable file is used to install the ChromeLoader. A PowerShell script creates a task called “ChromeTask” (albeit subject to change) that is scheduled to run every ten minutes. The PowerShell script also downloads the malicious Google Chrome browser extension ‘archive.zip’. Some users have reported that their Chrome browser constantly shuts themselves down as a result of this task.


PowerShell script (via red canary)

Researchers at G-Data wrote a blog post about ChromeLoader back in February. The company named the malware Choziosi Loader and also mentioned using the Powershell script. Malware researcher Colin Cowie wrote about the macOS variant back in April.

See Google Chrome’s support page for how to manage and possibly remove extensions. The same can be found on Apple’s support page.

Sources: The Register, Bleepingcomputer, red canary

Source: Hardware Info

Previous articleAqirys TGA Alpha is a modular mouse with 16 interchangeable backs.
Next articleAMD may come with low-end ‘Navi 24’ RX 6300 desktop graphics card

LEAVE A REPLY

Please enter your comment!
Please enter your name here