A new ChromeLoader malware campaign has been observed being distributed via virtual hard disk (VHD) files, marking a deviation from the ISO optical disc image format. "These VHD files are being distributed with filenames that make them appear like either hacks or cracks for Nintendo and Steam games," AhnLab Security Emergency response Center (ASEC) said in a report last week.
ChromeLoader (aka Choziosi Loader or ChromeBack) originally surfaced in January 2022 as a browser-hijacking credential stealer but has since evolved into a more potent, multifaceted threat capable of stealing sensitive data, deploying ransomware, and even dropping decompression bombs. The primary goal of the malware is to compromise web browsers like Google Chrome, and modify the browser settings to intercept and direct traffic to dubious advertising websites. What's more, ChromeLoader has emerged as a conduit to carry out click fraud by leveraging a browser extension to monetize clicks.
Since arriving on the scene, the malware has gone through multiple versions, many of them equipped with capabilities to break into both Windows and macOS systems. The shift to VHD files is yet another sign that the campaign has gone through many changes over the past few months. The infection chain indicates that users looking for pirated software and video game cheats are the main targets, leading to the download of VHD files from fraudulent websites appearing on search results pages. Once the file has been downloaded, the user is then required to open and run the file to start the infection process. ChromeLoader will then start to modify the browser settings on the infected machine to redirect traffic to malicious websites.
The malware is also capable of stealing sensitive data, deploying ransomware, and even dropping decompression bombs. Users should be vigilant when downloading files from the internet, and only download files from trusted sources.