Security News > 2022 > May > New ChromeLoader malware surge threatens browsers worldwide
The ChromeLoader malware is seeing an uptick in detections this month, following a relatively stable volume since the start of the year, causing the browser hijack to become a widespread threat.
ChromeLoader is a browser hijacker that can modify the victim's web browser settings to show search results that promote unwanted software, fake giveaways and surveys, and adult games and dating sites.
Finally, ChromeLoader executes and decodes a PowerShell command that fetches an archive from a remote resource and loads it as a Google Chrome extension.
The operators of ChromeLoader also target macOS systems, looking to manipulate both Chrome and Apple's Safari web browsers.
The infection chain on macOS is similar, but instead of ISO, the threat actors use DMG files, a more common format on that OS. Moreover, instead of the installer executable, the macOS variant uses an installer bash script that downloads and decompresses the ChromeLoader extension onto the "Private/var/tmp" directory.
"To maintain persistence, the macOS variation of ChromeLoader will append a preference file to the `/Library/LaunchAgents` directory," explains RedCanary's report.