Be on the lookout for this malware that hijacks your browser and generates fake search results
RedCanary researchers (thanks, beeping computer (opens in a new tab)) noticed an increase of ChromeLoader (opens in a new tab)activity since the beginning of the year. This malware can completely take over your browser, manipulating search results in an effort to trick you into clicking through a network of shady malicious sites and potentially stealing your user data.
This nasty malware is called a browser hijacker. It modifies a user’s browser settings to show search results and advertisements for fake sites, surveys and even adult games on Windows PCs and macOS systems. Although called ChromeLoader, it affects Apple Safari in addition to Google Chrome.
According to research by RedCanary, ChromeLoader infiltrates most systems by means of malicious ISO archive file disguised as cracked executable for computer game or commercial software and distributed via torrent sites. Additionally, QR codes inside Twitter posts promoting pirated Android games also contain links to ChromeLoader distribution sites.
In most cases, after getting infected with a browser hijacker, the user gets redirected to a series of bad sites which are usually part of an affiliate network. Each visit to these sites passes revenue to the creator of the malware. ChromeLoader does that and more.
RedCanary says that “ChromeLoader uses PowerShell to inject itself into the browser and add a malicious extension to it, a technique we don’t see very often (and often go undetected by other security tools).”
RedCanary goes on to describe the worst-case scenario for this type of malware: “If applied to a higher-impact threat, such as a credential harvester or spyware, this PowerShell behavior could help malware to gain a foothold and go unnoticed before acting on more overt malicious activity, such as exfiltrating data from a user’s browser sessions.”
On Mac, ChromeLoader has a similar MO where once you double-click on the DMG file, its installer script takes over and the bad browser extension starts doing its job.
The best advice we can give you is that if you frequent torrent sites, exercise extra caution when clicking on links and don’t open any executable files you don’t recognize. And if you see an ad for a cracked version of Cyberpunk 2070, don’t click on it.