ChromeLoader Browser Hijacker Provides Gateway to Bigger Threats

2022-05-31 11:38

ChromeLoader may seem on the surface like a run-of-the-mill browser hijacker that merely redirects victims to advertisement websites.

ChromeLoader is a pervasive and persistent browser hijacker that eventually manifests as a browser extension, modifying victims' Chrome settings and redirecting user traffic to advertisement websites.

While its core functionality is fairly benign, ChromeLoader has a unique feature in that it uses PowerShell to inject itself into the browser and add a malicious extension to it-"a technique we don't see very often," warned Aedan Russell from Red Canary's Detection Engineering team in a blog post.

Once installed, ChromeLoader uses a PowerShell command to load in a Chrome extension from a remote resource.

Red Canary offered more advanced detection tactics based on ChromeLoader's use of PowerShell to find out if a browser has been infected.

In macOS, security administrators can search forsh or bash scripts running in macOS environments with command lines associated with the macOS variant of ChromeLoader, as well as the execution of encoded sh, bash, or zsh commands on macOS endpoints to know if a browser has been infected.

News URL

https://threatpost.com/chromeloader-hijacker-threats/179761/

#browser #gateway #threat