Beware of this malware that hijacks your browser and generates fake search results

RedCanary researchers (thanks, beep computer (opens in new tab)) noticed an increase ChromeLoader (opens in new tab)activity since the beginning of the year. This malware can completely take over your browser, manipulating search results in an effort to get you to click through to a network of shady malicious websites and potentially steal your user data.

This nasty malware is what is called a browser hijacker. It alters a user’s browser settings to display search results and ads from fake websites, surveys and even adult games on Windows PCs and macOS systems. Despite being called ChromeLoader, it affects Apple Safari as well as Google Chrome.

According to research by RedCanary, the way ChromeLoader infiltrates most systems is through a malicious ISO file disguised as an executable cracked for a computer game or commercial software and distributed via torrent sites. Additionally, QR codes within Twitter posts promoting cracked Android games also contain links to ChromeLoader distribution sites.

In most cases, after being infected by a browser hijacker, the user is redirected to a series of bad websites that are usually part of an affiliate network. Each visit to these sites funnels revenue to the malware creator. ChromeLoader does that and more.

RedCanary says that “ChromeLoader uses PowerShell to inject itself into the browser and add a malicious extension to it, a technique that we don’t see very often (and that often goes undetected by other security tools)”.

RedCanary goes on to describe a worst-case scenario for this type of malware: “If applied to a high-impact threat – such as a credential collector or spyware – this PowerShell behavior can help malware gain a foothold and go unnoticed before perform more overtly malicious activity, such as exfiltrating data from a user’s browser sessions.”

On Macs, ChromeLoader has a similar MO where once you double-click the DMG file, its install script takes over and the bad browser extension starts working.

The best advice we can give is that if you frequent torrent sites, take an extra layer of care when clicking on any links and don’t open any executable files you don’t recognize. And if you see an ad for a cracked version of Cyberpunk 2070, don’t click on it.

Leave a Comment