ChromeLoader Malware Hijacks Browsers With ISO Files

The malware’s abuse of PowerShell makes it more dangerous, allowing for more advanced attacks such as ransomware, fileless malware, and malicious code memory injections.

2 Min Read
ChromeLoader Malware Hijacks Browsers With ISO Files
Getty Images

The browser-hijacking malware known as ChromeLoader is becoming increasingly widespread and growing in sophistication, according to two advisories released this week. It poses a big threat to business users.

ChromeLoader is a sophisticated malware that uses PowerShell, an automation and configuration management framework, to inject itself into the browser and add a malicious extension. This kind of threat drastically increases the attack surface, as today’s enterprises rely more on software-as-a-service (SaaS) apps amid flexible working environments and diverse endpoints.

“The browser is the front door to the Internet, and therefore the user’s first line of defense when they access SaaS applications,” Ohad Bobrov, Talon Cyber Security's CTO and co-founder, tells Dark Reading. “Attackers have identified the browser as an opportunity to steal remote information from SaaS applications, as well as create malicious extensions they can easily manipulate.”

In this case, the malware is using malicious optimal disc image (ISO) files — often hidden in cracked or pirated versions of software or games — to take over the browser and redirect it to display bogus search results in a malvertising scheme.

Both a MalwarebytesLabs advisory and a Red Canary warning point out that ChromeLoader’s abuse of PowerShell, combined with the use of ISO files, make ChromeLoader particularly aggressive.

Related:What To Do When Windows Defender Is Not Working

“PowerShell, like any other advanced shell, can be used as an administration tool to automate tasks,” explains Mike Parkin, senior technical engineer at Vulcan Cyber, a provider of SaaS for enterprise cyber-risk remediation. “Admins use benign shell scripts for myriad tasks because they can be versatile and easily accessible on almost every platform.”

He points out that the use of an ISO file to carry the script, which then drops a malicious extension, is not a new technique, but it remains effective because ISOs are still commonly used in business settings. While this campaign is relying on a ruse of pirated software, ISOs are also important in network and system management and are used for installing packages on servers and containers. Linux is installed via ISO, as are some Windows upgrades.

Continue Reading on Dark Reading

Read more about:

Dark Reading

About the Author(s)

Dark Reading

Long one of the most widely read cyber security news sites on the Web, Dark Reading, a sister site to ITPro Today, is now the most trusted online community for security professionals like you. Dark Reading's community members include thought-leading security researchers, CISOs, and technology specialists, along with thousands of other security professionals.

Nathan Eddy

Nathan Eddy is a freelance writer for ITProToday and covers various IT trends and topics across wide variety of industries. A graduate of Northwestern University’s Medill School of Journalism, he is also a documentary filmmaker specializing in architecture and urban planning. He currently lives in Berlin, Germany.

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like