This Windows malware uses PowerShell to inject malicious extension into Chrome

And that's a bit odd, says Red Canary


A strain of Windows uses PowerShell to add a malicious extension to a victim's Chrome browser for nefarious purposes. A macOS variant exists that uses Bash to achieve the same and also targets Safari.

The makers of the ChromeLoader software nasty ensure their malware is persistent once on a system and is difficult to find and remove, according to threat hunters at cybersecurity shop Red Canary, who have been tracking the strain since early February and have seen a flurry of recent activity.

"We first encountered this threat after detecting encoded PowerShell commands referencing a scheduled task called 'ChromeLoader' – and only later learned that we were catching ChromeLoader in the middle stage of its deployment," Aedan Russell, detection engineer at Red Canary, wrote in a blog post this week.

The malicious extension injected by ChromeLoader is designed, once added to a victim's browser, to redirect the user through online adverts, triggering revenue for miscreants. The Windows ChromeLoader's use of PowerShell to drop in more malicious Chrome extensions is uncommon, Russell told The Register.

"ChromeLoader's developer has found an efficient means of collecting ad revenue by using a legitimate developer command line argument for Chrome," he said.

"Loading a web browser extension via PowerShell (and doing so silently) shows a level of stealthiness above the norm as other malicious browser extensions are usually introduced by tricking the user into overtly installing them, often posing as legitimate browser extensions."

Red Canary isn't the only threat intelligence group to get onto ChromeLoader. Researchers at G-Data CyberDefense in February wrote a blog post about the malware, dubbing it Choziosi loader, that also talked about using the PowerShell script.

In addition, threat researcher Colin Cowie wrote about the aforementioned variant of ChromeLoader targeting Macs in April.

ChromeLoader gets initial access into a system by being distributed as an ISO file that looks like a torrent or a cracked video game. It is spread via pay-per-install sites and social media networks like Twitter, according to Red Canary.

"Once downloaded and executed, the .ISO file is extracted and mounted as a drive on the victim's machine," Russell wrote of the Windows version. "Within this ISO is an executable used to install ChromeLoader, along with what appears to be a .NET wrapper for the Windows Task Scheduler. This is how ChromeLoader maintains its persistence on the victim's machine later in the intrusion chain."

The persistence is gained through a scheduled task using the Service Host Process, though the malware does not use the Windows Task Scheduler to add the task.

"While not using groundbreaking techniques, ChromeLoader has found success in its stealthier persistence mechanisms," Russell told The Register.

"It uses a scheduled task, but not by using the Windows native Task Scheduler (schtasks.exe) to do so. Instead, ChromeLoader creates its scheduled task via injection into the Service Host (svchost.exe), using functionality from an imported Task Scheduler COM API."

Once the scheduled task executes PowerShell and loads the extension, it is silently removed with the PowerShell module invoke schtasks.exe and is often less frequently monitored as an anti-forensic technique, according to Russell.

"This is a novel method for loading a malicious extension into Chrome that I have not seen before, nor has it been observed by Red Canary's intelligence team in other malware," he said.

"While other bad actors could capitalize on this method, they still need to place a portable executable on the victim machine to ultimately use the load-extension PowerShell technique."

While ChromeLoader used disguised ISO files to deliver it, many enterprises are now monitoring or blocking ISOs from the internet because they are popular ways to deliver other malware. If a bad actor determines that ChromeLoader's method is effective for loading a malicious extension, they will likely use it, he said.

In addition, because of its capabilities as a command and scripting interpreter, PowerShell will always be a top command-execution method for threat actors.

"In the particular case of ChromeLoader, the overall impact appears to be relatively low since the malware has only been observed redirecting user traffic to spam sites," Russell said. "There are no known attempts by threat actors to load malicious browser extensions using this PowerShell technique, outside of ChromeLoader.

"However, this technique is well documented and used by developers quite often." ®


Other stories you might like

  • Cyberattack shuts down unemployment, labor websites across the US
    Software maker GSI took systems offline, affecting thousands of people in as many as 40 states

    A cyberattack on a software company almost a week ago continues to ripple through labor and workforce agencies in a number of US states, cutting off people from such services as unemployment benefits and job-seeking programs.

    Labor departments and related agencies in at least nine states have been impacted. According to the Louisiana Workforce Commission in a statement this week, Geographic Solutions (GSI) was forced to shut down state labor exchanges and unemployment claims systems, and as many as 40 states and Washington DC, all of which rely on GSI's services, could be affected.

    In a statement to media organizations, GSI President Paul Toomey said the Palm Harbor, Florida-based company "identified anomalous activity on our network," and took its services offline. Toomey didn't elaborate whether GSI was hit with ransomware or some other type of malware.

    Continue reading
  • Carnival Cruises torpedoed by US states, agrees to pay $6m after wave of cyberattacks
    Now those are some phishing boats

    Carnival Cruise Lines will cough up more than $6 million to end two separate lawsuits filed by 46 states in the US after sensitive, personal information on customers and employees was accessed in a string of cyberattacks.

    A couple of years ago, as the coronavirus pandemic was taking hold, the Miami-based biz revealed intruders had not only encrypted some of its data but also downloaded a collection of names and addresses; Social Security info, driver's license, and passport numbers; and health and payment information of thousands of people in almost every American state.

    It all started to go wrong more than a year prior, as the cruise line became aware of suspicious activity in May 2019. This apparently wasn't disclosed until 10 months later, in March 2020.

    Continue reading
  • Start using Modern Auth now for Exchange Online
    Before Microsoft shutters basic logins in a few months

    The US government is pushing federal agencies and private corporations to adopt the Modern Authentication method in Exchange Online before Microsoft starts shutting down Basic Authentication from the first day of October.

    In an advisory [PDF] this week, Uncle Sam's Cybersecurity and Infrastructure Security Agency (CISA) noted that while federal executive civilian branch (FCEB) agencies – which includes such organizations as the Federal Communications Commission, Federal Trade Commission, and such departments as Homeland Security, Justice, Treasury, and State – are required to make the change, all organizations should make the switch from Basic Authentication.

    "Federal agencies should determine their use of Basic Auth and migrate users and applications to Modern Auth," CISA wrote. "After completing the migration to Modern Auth, agencies should block Basic Auth."

    Continue reading

Biting the hand that feeds IT © 1998–2022