Fake websites spreading the resilient ChromeLoader “Shampoo” malware
A new variant of the ChromeLoader malware, named “Shampoo,” is being spread through fake websites advertising pirated video games, films, and other illegal content. The malware steals sensitive data, redirects searches, and injects ads into victims’ browser sessions. Researchers from HP Wolf Security have been monitoring this campaign, which has been active since March.
Similarities to the original ChromeLoader
The original ChromeLoader, discovered in May 2022, aimed to install a malicious Chrome extension for advertising purposes. It employed a complex infection chain that began with victims downloading malicious ISO files from websites hosting illegal content. The Shampoo campaign is very similar to ChromeLoader in terms of its infection chain, distribution methods, and objectives. The two versions share code similarities and the ad-monetization feature.
Persistence mechanism and infection chain
One significant difference between the new Shampoo variant and the original ChromeLoader is the use of the browser’s Task Scheduler for persistence. Shampoo sets up a scheduled task to re-launch itself every 50 minutes, ensuring its continued activity despite reboots or attempts to kill the script.
Users typically encounter Shampoo when they download illegal content from websites offering pirated files. They are tricked into running malicious VBScripts, disguised as pirated wares, which trigger the infection chain. The malicious ChromeLoader Shampoo extension is heavily obfuscated and contains various anti-debugging and anti-analysis traps, making it challenging to detect.
Malicious activities of the Shampoo variant
Once the Shampoo extension attaches to a Chrome session, it carries out several malicious activities, including:
- Disabling search suggestions in the address bar
- Redirecting Google, Yahoo, and Bing searches to a command and control (C2) server
- Logging the victim’s last search query in Chrome’s local storage
- Preventing victims from accessing chrome://extensions, likely to hinder the removal of the extension
Additionally, the persistence mechanism unregisters a list of tasks prefixed with “chrome_,” potentially removing any previous versions or competing malware.
Evolution of ChromeLoader and potential threats
The first version of ChromeLoader primarily aimed to hijack browser sessions and steal victim data. However, it has evolved into a more dangerous threat that is now used to drop ransomware, steal data, and crash systems at enterprises. It remains unclear if the Shampoo variant will follow a similar trajectory.
Advice for prevention and protection
Avoid illegal downloads and untrusted websites
One of the most straightforward ways to avoid compromise by the Shampoo variant is to refrain from downloading pirated material from the internet. It is also essential to exercise caution when downloading files from untrusted websites in general. This advice is particularly crucial for employees using Chrome in a corporate environment, as downloading anything from the internet through a corporate network or on shared devices can lead to spreading the malware throughout the organization.
Configure email gateways and security tools
Organizations should configure their email gateway and security tool policies to block files from unknown external sources. This additional layer of protection can help prevent the infiltration of malware.
Indicators of compromise and ongoing vigilance
Researchers have provided a list of indicators of compromise in their report. It is recommended for individuals and organizations to familiarize themselves with these indicators to identify potential infections. Staying vigilant and promptly responding to any suspicious activity is crucial.
Conclusion: Addressing the challenges of resilient malware
The Shampoo variant of the ChromeLoader malware presents challenges for cybersecurity efforts. Its persistence mechanisms and ability to evade detection make it increasingly difficult to eradicate. The rise of malware campaigns like Shampoo highlights the ongoing importance of robust internet security measures, user education, and a proactive approach to identifying and mitigating cyber threats. By following best practices, maintaining up-to-date security tools, and engaging in responsible online behavior, individuals and organizations can minimize the risk of falling victim to such resilient malware.
<< photo by cottonbro studio >>
The image is for illustrative purposes only and does not depict the actual situation.
You might want to read !
- Four Key Considerations for Advancing Your Threat Intelligence Program
- Vidar Malware: Unveiling New Tactics in Evading Detection and Concealing Activities
- Exploring the GravityRAT Android Trojan: A Stealthy Threat to WhatsApp Security
- SAP Bolsters Cybersecurity Defenses: June 2023 Security Updates Patch High-Severity Vulnerabilities
- “Asylum Ambuscade”: A Group Behind Massive Cybercrime and Espionage Campaigns
- The Escalation of Cryptocurrency Attacks: Profits Surge for Cybercriminals
- ICS Security: Siemens Tackles 180+ Vulnerabilities in Third-Party Components
- The Rise of Supply Chain Attacks: Abandoned S3 Buckets and the Distribution of Malicious Binaries
- The Privacy Dilemma: Unveiling the Risks of Sensitive Data in GenAI ChatGPT
