A new report from VMWare Inc.’s Carbon Black Managed Detection and Response Team today details the rise of the highly prevalent ChromeLoader malware, its ongoing evolution and the serious risk it poses to both individuals and businesses.

ChromeLoader, which was first discovered in January, typically drops as a .iso optical disk image and is used to steal a user’s browser credentials, harvest recent online activity and hijack the browser searches to display ads. Since it was first discovered, several variants have emerged, including a macOS version in March 2022 and others such as ChromeBack and Choziosi Loader.

The researchers explain that although this sort of malware is created with the intent to feed adware to the user, ChromeLoader also increases the attack surface of an infected system. Knowing this, hackers have been seen delivering more malicious malware with Chromeloader for other nefarious purposes.

Highlighting the evolving threat the malware presents, a Chromeloader variant dubbed “Bloom” drops a file named bloom.exe in customer environments with ChromeLoader infections. The Bloom variant has been observed making external network connections and exfiltrating sensitive data. There have also been a number of other variants that follow the same bloom.exe attack chain but use different process names and hashes to avoid detection.

One variant, seen as recently as late August, deploys so-called “Zip bombs” alongside Chromeloader. A Zip bomb, also known as a decompression bomb or zip of death, is a malicious archive file designed to damage a program or system. In this case, once the Zip bomb is double-clicked, it destroys the user’s system by overloading it with data.

In the evolution of malware, ransomware often comes up, which is no different with ChromeLoader. One campaign using ChromeLoader was found to contribute the Enigma Ransomware via HTML attachments. Once the attachment is open, it will launch the default browser, execute its embedded javascript, then follow its standard chain of encryption.

In another campaign, ChromeLoader distributors have impersonated OpenSubtitles, a program used to help users find subtitles for popular movies and TV shows, and the music player software FLB Music. The impersonated software is used in conjunction with an adware program that redirects web traffic, steals credentials and recommends other malicious downloads posed as legitimate updates. It also reads through the Chrome browser history.

ChromeLoader distributors were also found to be targeting business services. Of the more than 50 VMware Carbon Black MDR customers infected by ChromeLoader, the majority of the infected are within the business services industry, followed by the government and education sectors.

Given the evolution of the campaigns and the variations, the researchers note that there is a real concern that ChromeLoader infections will continue to lead to more sophisticated attacks that deliver nefarious malware to larger audiences.

“The VMware Carbon Black MDR team believes this is an emerging threat that needs to be tracked and taken seriously due to its potential for delivering more nefarious malware,” the researchers concluded. “It has been seen before that adware is waved off as just being a nuisance malware, however, because of this, malware authors are able to take advantage and use it for wider attacks like Enigma ransomware.”

Image: Maxpixel