Security News > 2022 > May > This Windows malware uses PowerShell to inject malicious extension into Chrome

A strain of Windows uses PowerShell to add a malicious extension to a victim's Chrome browser for nefarious purposes.

The makers of the ChromeLoader software nasty ensure their malware is persistent once on a system and is difficult to find and remove, according to threat hunters at cybersecurity shop Red Canary, who have been tracking the strain since early February and have seen a flurry of recent activity.

"We first encountered this threat after detecting encoded PowerShell commands referencing a scheduled task called 'ChromeLoader' - and only later learned that we were catching ChromeLoader in the middle stage of its deployment," Aedan Russell, detection engineer at Red Canary, wrote in a blog post this week.

The Windows ChromeLoader's use of PowerShell to drop in more malicious Chrome extensions is uncommon, Russell told The Register.

"While not using groundbreaking techniques, ChromeLoader has found success in its stealthier persistence mechanisms," Russell told The Register.

"It uses a scheduled task, but not by using the Windows native Task Scheduler to do so. Instead, ChromeLoader creates its scheduled task via injection into the Service Host, using functionality from an imported Task Scheduler COM API.".

News URL

https://go.theregister.com/feed/www.theregister.com/2022/05/27/chromeloader-malware-powershell/