ChromeLoader Malware Hijacks Browsers With ISO Files

The malware's abuse of PowerShell makes it more dangerous, allowing for more advanced attacks such as ransomware, fileless malware, and malicious code memory injections.

4 Min Read
Image of various browser icons, with Chrome in the center
Source: ImageBROKER via Alamy

The browser-hijacking malware known as ChromeLoader is becoming increasingly widespread and growing in sophistication, according to two advisories released this week. It poses a big threat to business users.

ChromeLoader is a sophisticated malware that uses PowerShell, an automation and configuration management framework, to inject itself into the browser and add a malicious extension. This kind of threat drastically increases the attack surface, as today's enterprises rely more on software-as-a-service (SaaS) apps amid flexible working environments and diverse endpoints.

"The browser is the front door to the Internet, and therefore the user’s first line of defense when they access SaaS applications," Ohad Bobrov, Talon Cyber Security's CTO and co-founder, tells Dark Reading. "Attackers have identified the browser as an opportunity to steal remote information from SaaS applications, as well as create malicious extensions they can easily manipulate."

In this case, the malware is using malicious optimal disc image (ISO) files — often hidden in cracked or pirated versions of software or games — to take over the browser and redirect it to display bogus search results in a malvertising scheme.

Both a MalwarebytesLabs advisory and a Red Canary warning point out that ChromeLoader's abuse of PowerShell, combined with the use of ISO files, make ChromeLoader particularly aggressive.

"PowerShell, like any other advanced shell, can be used as an administration tool to automate tasks," explains Mike Parkin, senior technical engineer at Vulcan Cyber, a provider of SaaS for enterprise cyber-risk remediation. "Admins use benign shell scripts for myriad tasks because they can be versatile and easily accessible on almost every platform."

He points out that the use of an ISO file to carry the script, which then drops a malicious extension, is not a new technique, but it remains effective because ISOs are still commonly used in business settings. While this campaign is relying on a ruse of pirated software, ISOs are also important in network and system management and are used for installing packages on servers and containers. Linux is installed via ISO, as are some Windows upgrades.

Infecting the Browser Helps Bypass Security Measures

Parkin adds that with so many applications being now browser-based, it's a logical place for cybercriminal to put their malicious code.

In addition, the browser is an application that is not monitored by most security programs, and extensions are usually not scanned by most endpoint protection solutions to determine whether they are malicious.

"By infecting the browser, the attacker gets around a number of security measures, such as traffic encryption, that would otherwise impede their attack," Parkin says. "It's like adding a malicious hard drive to your system."

Having access to a browser provides attackers access to victim data and could, in some cases, provide the opportunity to perform actions on the compromised person's behalf. With such easy access and high-value information inside browsers, malware operators can achieve big results for minimal effort.

To boot, ChromeLoader's capabilities do not end with installing malicious extensions — it could carry out more advanced attacks as well.

"Most security tools don't detect it," says Talon's Bobrov. "The fact that ChromeLoader abuses PowerShell makes it incredibly dangerous, since this can allow for more advanced attacks, such as ransomware, fileless malware, and malicious code memory injections."

He adds that ISO files can hold a lot of data, so there's plenty of room for malware to hide. In addition, these files are confusing for end users and have some automatic actions that the operating system might perform.

Cyber Hygiene, User Education Needed to Stop Malicious ISO Files

Bobrov says that to prevent exposure to malicious ISO files, the first step is related to basic cyber hygiene: You need to understand and trust the data you download and where you download it from.

"Do not launch ISO files that are not from trusted sources, and never run files inside ISO without verifying their safety," he advises. "When browsing the Internet, make sure you have security controls in place to help monitor the websites you browse and help protect you from malicious content."

From Parkin’s perspective, user education is a good first step to prevent exposure to malicious ISO files, which includes teaching users to be wary of downloading suspect files. (Any cracked software falls into this bucket.)

"Beyond user education, admins can deploy tools and enforce policies that restrict mounting ISO files, though that may be a challenge in [bring-your-own-device] BYOD environments," he says.

A step beyond that is using remote desktop environments such as VNC, Citrix, or Windows Remote Desktop, which can shift policy enforcement back into the IT admin’s hands.

About the Author(s)

Nathan Eddy, Contributing Writer

Nathan Eddy is a freelance journalist and award-winning documentary filmmaker specializing in IT security, autonomous vehicle technology, customer experience technology, and architecture and urban planning. A graduate of Northwestern University’s Medill School of Journalism, Nathan currently lives in Berlin, Germany.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights