ChromeLoader is a family of malware that is extremely prevalent and persistent. The malware installs malicious browser extensions and removing them can be problematic as users are denied access to the Google Chrome extension list to prevent the removal of the malicious extensions if they are discovered. These malicious extensions are used to deliver unwanted ads, and redirect users to websites that they would otherwise not visit. At best, infection is a nuisance; however, the malware can increase the attack surface of a system and can easily lead to other malware being delivered.

ChromeLoader was first observed in January 2022 and infections are now extremely widespread. The malware is most commonly spread via sites that offer pirated software – torrents and warez sites – with the malware usually delivered through infected ISO image files. Several campaigns have been detected that advertise pirated software, games, and movies on social media networks, especially Twitter, with the posts/tweets including links to download sites. When the installation file is downloaded and installed, the user will likely get the software, operating system, or game they are expecting, but ChromeLoader and/or other malware will also be installed.

A new ChromeLoader distribution campaign has recently been detected by HP’s Wolf Security team. They report that the campaign has been active since at least March 2023 and delivers ChromeLoader, which installs a malicious adware browser extension called Shampoo. Shampoo will perform unwanted redirects to a variety of websites, including fake giveaways, games, and dating sites. These redirects can simply be annoying but can risk other malware infections. The malicious browser extension is also difficult to uninstall as the user will be prevented from accessing Chrome Extensions.  If the user does manage to uninstall the adware, it will simply be reloaded when the device is rebooted via a Windows scheduled task. According to HP, this campaign uses a network of malicious websites that offer pirated material. The download sites deliver VBScripts that execute PowerShell scripts that fetch Shampoo and install the malicious Chrome extension. While this campaign only installs adware at present, tactics could change, and more damaging malware could be delivered.

While ChromeLoader could be distributed in multiple ways, the primary method of delivery is via pirated software, so the easiest step to take to prevent infection is never to download pirated material and to only install software/operating systems from official sources. Businesses should implement controls to prevent illegal software downloads. These downloads carry a high risk of installing malware and pirated software is also a legal risk. Businesses should also implement controls to prevent the use of shadow IT – IT solutions that are installed without the knowledge of the IT department, as they can introduce vulnerabilities that can be exploited by malicious actors.

The IT department should have a list of all versions of software and operating systems used by the company. When patches or updates are released, the IT department will need to ensure that the company is running the latest versions. If the IT department is unaware that employees have downloaded programs, vulnerabilities could easily go unaddressed. Employees may install additional software to make their jobs easier and improve productivity, but it introduces considerable security and legal risks.

How to Prevent ChromeLoader Infections

One way that businesses can control shadow IT and prevent ChromeLoader infections is to implement controls to use a web filter such as WebTitan Cloud. WebTitan Cloud is used to control access to the Internet. Categories of websites can be blocked such as torrents/warez sites, along with other risky websites that serve no work purposes. URLs and domains that are known to be malicious are blocked automatically. WebTitan is constantly updated with new malicious websites as soon as they are discovered. WebTitan Cloud can also be configured to block certain file downloads from the Internet, such as executable files that are used to install software (.msi, .iso etc) to control shadow IT along with other executable files that are often used for malware installation (.js, .exe, etc).

WebTitan Cloud is easy to implement and requires no additional hardware, configuration is very straightforward, and this is a low-cost solution that will provide excellent protection against web-based threats. For more information on WebTitan Cloud or to arrange a product demonstration, give the TitanHQ team a call. WebTitan Cloud is also available on a free trial to let you put the solution to the test before deciding on a purchase.