HQ/EMEAFind out how we can help your business
Cybersecurity researchers have observed that the ChromeLoader campaign operators use VHD files named after well-known video games to lure victims.
The confirmed video game titles exploited for adware by the threat group are ROBLOX, Red Dead Redemption, Need for Speed, Dark Souls, Elden Ring, Pokemon, Animal Crossing, Call of Duty, Minecraft, Portal 2, Legends of Zelda, and Mario Kart.
This network of malvertising websites spreads the malicious VHD archives, which appear as legitimate game-related packages that install the ChromeLoader extension.
Subsequently, ChromeLoader could hijack the targeted browser searches to show advertisements. It could also alter the browser settings and collect saved credentials and browser data.
The ChromeLoader campaign became active in exploiting such attacks in May last year.
According to investigations, the ChromeLoader campaign surged in May 2022 and showed signs of new variants in less than four months.
The new variants carried out additional sophisticated activities. In some instances, the threat actors even deployed the Enigma ransomware. In most ChromeLoader cases last year, it arrived on a targeted system as an ISO file.
However, recent operations prefer the VHD packaging to target more users, such as gamers. Furthermore, the threat actors liked VHD files since they could easily be mounted on a Windows system and supported by numerous virtualisation software products.
The images contain multiple files, but only one is visible to the user. Deploying the shortcut activates the execution of a batch script that decompresses the contents of a ZIP file.
Next, the batch file runs a VBScript and a JavaScript that retrieves the final payload from a remote resource. Subsequently, the ChromeLoader will begin redirecting to ad sites, thus generating revenue for the threat operators.
Researchers explained that the addresses hosting the payload are no longer accessible. The malicious Chrome extension that ChromeLoader develops and runs could also harvest credentials saved in the browser.
Cybersecurity experts warned users about downloading games from third-party or unofficial platforms. Pirated products are common vectors of high-security risks that could harm a targeted system.
