Security News > 2022 > May > This Windows malware uses PowerShell to inject malicious extension into Chrome
A strain of Windows uses PowerShell to add a malicious extension to a victim's Chrome browser for nefarious purposes.
The makers of the ChromeLoader software nasty ensure their malware is persistent once on a system and is difficult to find and remove, according to threat hunters at cybersecurity shop Red Canary, who have been tracking the strain since early February and have seen a flurry of recent activity.
"We first encountered this threat after detecting encoded PowerShell commands referencing a scheduled task called 'ChromeLoader' - and only later learned that we were catching ChromeLoader in the middle stage of its deployment," Aedan Russell, detection engineer at Red Canary, wrote in a blog post this week.
The Windows ChromeLoader's use of PowerShell to drop in more malicious Chrome extensions is uncommon, Russell told The Register.
"While not using groundbreaking techniques, ChromeLoader has found success in its stealthier persistence mechanisms," Russell told The Register.
"It uses a scheduled task, but not by using the Windows native Task Scheduler to do so. Instead, ChromeLoader creates its scheduled task via injection into the Service Host, using functionality from an imported Task Scheduler COM API.".
News URL
https://go.theregister.com/feed/www.theregister.com/2022/05/27/chromeloader-malware-powershell/
Related news
- North Korean ScarCruft Exploits Windows Zero-Day to Spread RokRAT Malware (source)
- Russia targets Ukrainian conscripts with Windows, Android malware (source)
- New SteelFox malware hijacks Windows PCs using vulnerable driver (source)
- New CRON#TRAP Malware Infects Windows by Hiding in Linux VM to Evade Antivirus (source)
- New Glove infostealer malware bypasses Chrome’s cookie encryption (source)