A new report from VMWare Inc.’s Managed Carbon Soot Detection and Response Team. today describes the rise of the highly prevalent ChromeLoader malware, its continued evolution, and the serious risk it poses to both individuals and businesses.
ChromeLoader, which was first discovered in January, usually drops as an .iso image on an optical disc and is used to steal a user’s browser credentials, collect recent online activity and hijack browser searches to display ads. Since it was first discovered, several variants have appeared, including a version for macOS in March 2022 and others such as ChromeBack and Choziosi Loader.
The researchers explain that although this type of malware was created with the intention of feeding the user with adware, ChromeLoader also increases the attack surface of an infected system. Knowing this, hackers have been seen delivering more malicious malware with Chromeloader for other criminal purposes.
Underscoring the evolving threat posed by the malware, a Chromeloader variant called “Bloom” drops a file named bloom.exe into client environments with ChromeLoader infections. The Bloom variant has been observed to make external network connections and exfiltrate sensitive data. There are a number of other variants that follow the same bloom.exe attack chain, but use different process names and hashes to avoid detection.
One variant, seen as recently as late August, deploys so-called “Zip bombs” along with the Chromeloader. A zip bomb, also known as a decompression bomb or death zip, is a malicious archive file designed to damage a program or system. In this case, after double-clicking the Zip bomb, it destroys the user’s system by overloading it with data.
In another campaign, ChromeLoader distributors are promoting OpenSubtitles, a program used to help users find subtitles for popular movies and TV shows, and the FLB Music music player software. The cloned software is used in conjunction with an adware program that redirects web traffic, steals credentials, and recommends other malicious downloads masquerading as legitimate updates. It also reads Chrome browser history.
ChromeLoader distributors were also found to target business services. Of the more than 50 VMware Carbon Black MDR customers infected by ChromeLoader, the majority of those infected are in the business services sector, followed by the government and education sectors.
Given the evolution of campaigns and variations, the researchers note that there is real concern that ChromeLoader infections will continue to lead to more sophisticated attacks that deliver malware to a wider audience.
“The VMware Carbon Black MDR team believes this is an emerging threat that should be tracked and taken seriously due to its potential to deliver more criminal malware,” the researchers concluded. “Adware has been seen before to be dismissed as just annoying malware, but because of this, malware authors can take advantage and use it for wider attacks like Enigma ransomware.”