According to two advisories issued this week, the browser-hijacking malware known as ChromeLoader is becoming increasingly widespread and sophisticated. It is extremely dangerous for enterprise customers.
"The browser is the person's first line of defense when they enter SaaS purposes because it is the entrance door to the Web," Ohad Bobrov, Talon Cyber Safety's CTO and co-founder, tells Darkish Studying. "Attackers have identified the browser as a potential means to steal remote data from SaaS applications, as well as create malicious extensions that they can simply manipulate."
ChromeLoader is a sophisticated piece of malware that injects itself into the browser and adds a malicious extension using PowerShell, an automation and configuration administration framework. As enterprises increasingly rely on software-as-a-service (SaaS) apps across diverse working environments and endpoints, this type of risk significantly expands the attack surface.
In this case, the malware is taking over the browser and redirecting it to show bogus search results to a malvertising scheme by using malicious optimal disc picture (ISO) data, which is typically hidden in cracked or pirated variations of software or video games.
Each is a MalwarebytesLabs warning and a Pink Canary warning highlight ChromeLoader's use of PowerShell, combined with the use of ISO data, makes ChromeLoader significantly aggressive.
According to the Senior, Technical Engineer of Vulcan Cyber, Mike Parkin, that utilizing an ISO file to hold the script, which then drops a malicious extension, isn't a novel technique, but it's still effective because ISOs are still widely used in enterprise settings.
While this marketing campaign relies on a ruse of pirated software, ISOs are also important in community and system administration and are used for installing applications on servers and containers.