Security researchers at VMware urge organizations to heed the rise of ChromeLoader. The malware hijacks victims’ browsers to spread malicious files and targeted ads.
ChromeLoader was discovered in January. The malware is typically installed through an .iso file, after which the program manipulates browser data to display targeted ads. Threats like ChromeLoader are typically categorized as adware.
According to VMware, adware is regularly dismissed as “a nuisance” — a nagging toothache, but not severe enough to ring up a dentist. The organization believes that ChromeLoader deserves more respect. Looks can be deceiving.
From bad to worse
First, the malware allows cybercriminals to generate ad revenue. Google uses Chrome users’ browser data to sell targeted ads to advertisers. ChromeLoader manipulates the data to show ads of the attackers’ choice. In exchange for a fee, cybercriminals can serve ads to infected devices.
Second, ChromeLoader allows cybercriminals to spread additional malware variants. The ads on infected devices don’t necessarily need to link to legitimate products or services. Cybercriminals can just as easily redirect the ads to scam websites and malware distribution pages.
Third, the malware makes it possible to steal data. In ts report, VMware points to ‘Bloom’, a ChromeLoader variant that drops an .exe file on infected systems. The variant connects to remote systems to transfer victims’ personal data.
Zip bombs and ransomware
Fourth, ChromeLoader allows cybercriminals to damage systems and data. In August 2022, researchers discovered a variant that deploys malicious .zip files. Once a victim extracts the file, the system is damaged due to an abundance of data. Such files are also known as “zip bombs,” “decompression bombs” and “zips of death”.
Finally, the malware was recently used to spread Enigma, a ransomware variant. Cybercriminals initiated Enigma’s encryption process by opening a malicious HTML extension with ChromeLoader. “This is an emerging threat that needs to be tracked and taken seriously due to its potential for delivering more nefarious malware”, the researchers concluded.