Researchers Uncover New Variants of the ChromeLoader Browser Hijacking Malware

Cyber Security

Cybersecurity researchers have uncovered new variants of the ChromeLoader information-stealing malware, highlighting its evolving feature set in a short span of time.

Primarily used for hijacking victims’ browser searches and presenting advertisements, ChromeLoader came to light in January 2022 and has been distributed in the form of ISO or DMG file downloads advertised via QR codes on Twitter and free gaming sites.

ChromeLoader has also been codenamed Choziosi Loader and ChromeBack by the broader cybersecurity community. What makes the adware notable is that it’s fashioned as a browser extension as opposed to a Windows executable (.exe) or Dynamic Link Library (.dll).

Besides requesting invasive permissions to access browser data and manipulate web requests, it’s also designed to capture users’ search engine queries on Google, Yahoo, and Bing, effectively allowing the threat actors to harvest their online behavior.

While the first Windows variant of ChromeLoader malware was spotted in January, a macOS version of the malware emerged in March to distribute the rogue Chrome extension (version 6.0) in the form of disk image (DMG) files.

But a new analysis from Palo Alto Networks Unit 42 indicates that the earliest known attack involving the malware occurred in December 2021 using an AutoHotKey-compiled executable in place of the later-observed ISO files.

“This malware was an executable file written using AutoHotKey (AHK) — a framework used for scripting automation,” Unit 42 researcher Nadav Barak said, adding it was used to drop “version 1.0” of the browser add-on.

This first version is also said to lack obfuscation capabilities, a feature that has been picked up in subsequent iterations of the malware to conceal its purpose and malicious code.

Also observed in March 2022 was a previously undocumented campaign using the 6.0 version of the Chrome extension and relies on an ISO image that contains a seemingly benign Windows shortcut, but, in reality, acts as a conduit to launch a hidden file in the mounted image which deploys the malware.

“This malware demonstrates how determined cybercriminals and malware authors can be: In a short time period, the authors of ChromeLoader released multiple different code versions, used multiple programming frameworks, enhanced features, advanced obfuscators, fixed issues, and even adding cross-OS support targeting both Windows and macOS,” Barak said.