A new ChromeLoader campaign is underway, infecting visitors of warez and pirated movie sites with a new variant of the search hijacker and adware browser extension named Shampoo.
This discovery of the new campaign comes from HP’s threat research team (Wolf Security), who report that the operation has been underway since March 2023.
ChromeLoader history
ChromeLoader is a browser hijacker that force-installs browser extensions that redirect search results to promote unwanted software, fake giveaways, surveys, adult games, dating sites, and other irrelevant results.
Roughly a year ago, analysts at Red Canary reported a sudden spike in ChromeLoader distribution that had started in February 2022, now including macOS on the targeting scope along with Windows.
In September, VMware and Microsoft warned of another massive ChromeLoader campaign featuring the experimental ability to drop additional malware, including ransomware.
More recently, in February 2023, security researchers at ASEC discovered a campaign where ChromeLoader malware was distributed in VHD files named after popular video games.
Newest campaign
HP’s analysts report that in the campaign that started in March 2023, ChromeLoader is distributed via a network of malicious websites that promise free downloads of copyrighted music, movies, or video games.
Instead of legitimate media files or software installers, the victims download VBScripts that execute PowerShell scripts setting up a scheduled task prefixed with “chrome_” for persistence.
This task triggers a series of scripts that download a save a new PowerShell script into the host’s registry as “HKCU:SoftwareMirage Utilities” and also fetch the malicious Chrome extension, Shampoo.
Shampoo is a variant of ChromeLoader, capable of injecting adverts on websites the victim visits and performing search query redirections.
In a sample analyzed by BleepingComputer, searches from the browser address bar or Google are first redirected to a website at ythingamgladt[.]com and then to Bing search results.
Once the malicious extension is installed, it prevents the victim from accessing the Chrome extensions screen. Users are instead redirected to the Chrome settings screen when attempting to do so.
The adware’s operation is thought to be financially motivated, aiming to generate revenue from the search redirects and advertisements.
Of course, it’s not hard for victims to notice these redirections, as they’re not getting what they search for on Google, yet removing the malware is complicated.
“Removing ChromeLoader Shampoo is not as simple as uninstalling a legitimate extension,” warns HP in the report.
“The malware relies on looping scripts and a Windows scheduled task to reinstall the extension whenever the victim removes it or reboots their device.”
Hence, if the victim reboots the system, the Chrome malware will be temporarily disabled, but it gets reinstalled quickly.
To get rid of ChromeLoader Shampoo, HP Wolf Security says users can perform the following steps:
- Remove any scheduled tasks prefixed with “chrome_”. Legitimate Chrome scheduled tasks are normally prefixed with “Google”.
- Delete the registry key “HKCUSoftwareMirage Utilities”.
- Then reboot the computer.
BleepingComputer also found the PowerShell scripts extracting the malicious extension to ‘C:Users<user>appdatalocalchrome_test’ folder, which should be deleted if it exists.
HP warns that these removal steps must be completed quickly before the looping script reinstalls the malware.
A simple method to determine if a ChromeLoader variant runs on your web browser is to verify if Chrome is running with the “-load-extension” argument. You can use tools like Process Explorer to examine a process’ properties and see command-line arguments.
HP explains that those working in corporate environments who are infected with ChromeLoader may be reluctant to seek help from their IT department colleagues due to fearing the ramifications of breaking their employer’s policies by downloading software from doubtful sources.
However, the threat of adware should not be ignored or downplayed, as this is still a trojan running on your system which could attempt to cause more significant damage at any time, should its operators decide to seek more aggressive monetization pathways from their infections.
Source: www.bleepingcomputer.com