Security researchers are sounding the alarm on the malware tool dubbed ChromeLoader. It first surfaced in January as a consumer-focused, browser-hijacking credential stealer but has now evolved into a widely prevalent and multifaceted threat to organizations across multiple industries.

In an advisory released Sept. 19, researchers from VMware's Carbon Black managed detection and response team said they have recently observed the malware being used to also drop ransomware, steal sensitive data, and deploy so-called decompression (or zip) bombs to crash systems.

The researchers said they have observed hundreds of attacks involving newer versions of the malware targeting enterprises in business services, education, government, healthcare, and multiple other sectors. 

"This campaign has gone through many changes over the past few months, and we don’t expect it to stop," the researchers warned. "It is imperative that these industries take note of the prevalence of this [threat] and prepare to respond to it."

Ongoing & Prevalent Campaign

VMware's warning echoed one from Microsoft's Security Intelligence team Friday about a threat actor they are tracking as DEV-0796, which is using ChromeLoader in an extensive and ongoing click-fraud campaign. In a series of tweets, the researchers said the cyberattackers were attempting to monetize clicks generated by a browser extension or browser node-webkit that ChromeLoader had secretly downloaded on numerous user devices.

"This campaign begins with an .ISO file that's downloaded when a user clicks malicious ads or YouTube comments," according to Microsoft's analysis. When opened, the .ISO file installs the aforementioned browser node-webkit (NW.js) or a browser extension. 

"We’ve also seen the use of DMG files, indicating multi-platform activity," Microsoft researchers added.

ChromeLoader (aka ChromeBack or Choziosi Loader) grabbed attention in January when researchers observed malware operators using it to drop a malicious browser extension as a payload on user systems. The malware targeted users who visited sites touting cracked video games and pirated torrents. 

Researchers from Palo Alto Networks' Unit 42 threat hunting team described the infection vector as starting with a user scanning a QR code on those sites with the intention of downloading pirated content. The QR code redirected the user to a compromised website, where they were persuaded to download an .ISO image purporting to be the pirated file, which contained an installer file and several other hidden ones.

When users launched the installer file, they received a message indicating that the download had failed — while in the background a PowerShell script in the malware downloaded a malicious Chrome extension on the user's browser, Unit 42 researchers found.

Rapid Evolution

Since arriving on the scene earlier this year, the malware's authors have released multiple versions, many of them equipped with different malicious capabilities. One of them is a variant called Bloom.exe that made its initial appearance in March and has since infected at least 50 VMware Carbon Black customers. VMware's researchers said they observed the malware being used to exfiltrate sensitive data from infected systems. 

Another ChromeLoader variant is being used to drop zip bombs on user systems, i.e. malicious archive files. Users who click on the weaponized compression files end up launching malware that overloads their systems with data and crashes them. And since August, the operators of the appropriately named CrashLoader variant have been using the malware to distribute a ransomware family called Enigma.

ChromeLoader's Updated Malicious Tactics

Along with the payloads, the tactics for getting users to download ChromeLoader have also evolved. For instance, VMware Carbon Black researchers said they have seen the malware's author's impersonating various legitimate services to lead users to ChromeLoader. 

One service they have impersonated is OpenSubtitles, a site designed to help users to find subtitles for popular TV shows and movies, VMware said in its report. Another is FLB Music Play, a site for playing music. 

"The impersonated software is used in conjunction with an adware program that redirects web traffic, steals credentials, and recommends other malicious downloads posed as legitimate updates," VMware said.

Often, consumers are the primary targets of malware such as ChromeLoader. But with many employees now working from home, and often using their personally owned devices to access enterprise data and applications, enterprises can end up being impacted as well. VMware's Carbon Black team, like Microsoft's security researchers, said they believe the current campaign is only a harbinger of more attacks involving ChromeLoader.

"The Carbon Black MDR team believes this is an emerging threat that needs to be tracked and taken seriously," VMware said in its advisory, "due to its potential for delivering more nefarious malware."