'Shampoo' ChromeLoader Variant Difficult to Wash Out

Fake websites advertising pirated video games, films, and other wares are spreading a new variant of the ChromeLoader malware dubbed "Shampoo," that is anything but clean: It steals sensitive data, redirects searches, and injects ads into a victim's browser session.

Researchers from HP Wolf Security have been tracking the new campaign, which appears to have been active since March and distributes malware similar to the original ChromeLoader — first discovered in May 2022 — but that's noticeably harder to wash out of the proverbial IT hair thanks to multiple persistence mechanisms, they said.

The goal of the first version of ChromeLoader was to install a malicious Chrome extension for advertising, a process that includes "a particularly complex infection chain" that begins with victims downloading malicious ISO files from websites hosting illegal content that hijack browsers, wrote Jack Royer, an HP malware analyst intern, in a post on the HP Threat Research Blog published this week.

"ChromeLoader used in the Shampoo campaign is very similar; it tricks victims into downloading and running malicious VBScript files from websites, eventually leading to the installation of a malicious Chrome browser extension," he explained. "This campaign is very similar to ChromeLoader, in terms of its infection chain, distribution, and objective," with the two sharing code similarities and the ad-monetization feature.

One notable feature of Shampoo that's different than the original ChromeLoader is how it uses the browser's Task Scheduler to achieve persistence, by setting up a scheduled task to re-launch itself every 50 minutes, they said.

The script runs a PowerShell script that sets up the scheduled task, running a looping script every 50 minutes that downloads and runs another PowerShell script, the researchers said. This script downloads and installs the malicious ChromeLoader Shampoo extension that, once attached to a Chrome session, starts sending sensitive information back to a command and control (C2) server.

"This persistence mechanism allows the malware to remain active despite reboots or the script being killed by a security tool or user," Royer wrote.

Inside the Shampoo ChromeLoader Infection Chain

Users who encountered Shampoo did so by downloading illegal content from the Internet, such as movies, video games, or other files, from websites that offer pirated files, the researchers said. Victims are tricked into running malicious VBScripts that they think are pirated wares — for example, Cocaine Bear.vbs or Your download is ready.vbs — which triggers the infection chain, the researchers noted.

"The extension is heavily obfuscated and contains many anti-debugging and anti-analysis traps," with its author appearing to have used a free online JavaScript obfuscator to make the malware harder to detect, Royer wrote.

Other malicious activities that ChromeLoader Shampoo carries out on a victim's machine include disabling search suggestions in the address bar; redirecting Google, Yahoo, and Bing searches to the C2; logging the victim's last search query in Chrome's local storage; and logging the last search query in Chrome's local storage and preventing victims from accessing chrome://extensions by redirecting them to chrome://settings, likely to stop them from removing the extension, the researchers said.

The persistence mechanism that sets up the scheduled looping task also unregisters a list of tasks prefixed with "chrome_" — such as "chrome engine," "chrome policy," and "chrome about," the researchers noted. "This is likely done to remove any previous or competing version of the same malware," Royer wrote.

Be Wary of Illegal Downloads

Though the first version of ChromeLoader was similar to Shampoo in that it was mainly aimed at hijacking browser sessions and stealing victim data, it has since evolved into a more dangerous threat, with attackers now using it to drop ransomware, steal data, and crash systems at enterprises.

It's unclear if the Shampoo variant also will be leveraged in this way in the future. However, the researchers advised that people shouldn't take chances, and provided tips for how to avoid infection as well as a list of indicators of compromise in the post.

One obvious way to avoid compromise by the Shampoo variant is not to download pirated material from the Internet, and to avoid downloading any files from untrusted websites in general, they said. This is particularly true for employees using Chrome in a corporate environment, who should be particularly wary of downloading anything from the Internet via a corporate network (or onto a shared work/personal device), lest it spread throughout an organization.

Organizations should also configure email gateway and security tool policies to block files from unknown external sources as added protection, advised Patrick Schläpfer, malware analyst at the HP Wolf Security threat research team, in a press statement.