It attacks users’ computers and companies’ computing systems.

ChromeLoader, also known as ChoziosiLoader and Chromeback, was first identified in mid-January 2022. What the malware does, is it poses as a browser extension and hijacks the user’s browsers. Once on the system, attackers can use this malicious software to leak companies’ or individuals’ search engine queries and other sensitive information.

“It’s actually a malicious advertisement. It could be linked to a YouTube comment as well and when clicked on, it downloads this file and opens a malicious attack chain which basically then begins and it’s visible to the user in the beginning and at some stage of the attack, it becomes invisible to the user. So they don’t know what’s happening thereafter” says Monique Hart, the Lead systems engineer at VMware and the Subject Matter Expert (SME) in Carbon Black.

According to VMware, ChromeLoader attacks Google Chrome browsers and most chromium-based browsers. The authors of the malware use it to gather user data and track browsing activity while feeding adware.

Adware is a form of software, sometimes a virus, that hides in the users' devices and serves the user advertisements based on the data of user behaviour collected in order to send specific ads.

In other words, the convenient ads that pop up after talking to someone about a particular thing you are interested in, that is the work of adware.

What makes the ChromeLoader malware dangerous is the fact that it also makes use of PowerShell, which allows it to make the user’s computer more vulnerable to other advanced attacks.

“Although this sort of malware is created with the intent to feed adware to the user, ChromeLoader also increases the attack surface of an infected system. This can eventually lead to much more devastating attacks such as ransomware,” says VMware.

The ChromeLoader virus usually infects user systems when the user downloads illegal software or download pirated or cracked versions of the games or software they would like to use.

According to VMware, pirated or cracked versions of games or software are offered by attackers or malware authors. Social media platforms, torrent websites, pirating sites, or bundled with legitimate games and software are typically used to distribute this software.

When users install the malicious file, the victim unknowingly downloads an ISO file containing Chromeloader and other malware (an ISO file is a disk image that contains everything that would be written to an optical disc, i.e. a CD).

Once the victim double-clicks on the ISO and runs the Install shortcut, the Optimal Disk Image file cannot do any harm unless the user/victim clicks and executes the file. Users are likely to open this file believing it is a legitimate download for a game, which then infects the computer.

The main reason why the malware spread so fast is mostly due to human errors, says Hart. Thus, it is important for users to avoid downloading pirated movies and software as this puts companies at risk of having their data leaked.

Another method to protect against ChromeLoader is by using a trustworthy antivirus program. However, no antivirus program is equipped to handle the ever-evolving ChromeLoader malware since the virus seems to mutate frequently. According to Hart, the malware has mutated ten times already in a short space of time, with the last two mutations discovered in September by the VMware Carbon Black MDR team.

“When you’re looking at you’re antiviruses, you need to make sure you have next-generation antivirus capabilities. Your traditional signature-based antiviruses most probably won’t be able to protect you against these viruses,” says Hart.

Signature-based antivirus programs (signature AVs), otherwise known as signature IDS (Intrusion Detection Systems), use a known list of indicators of compromise. In other words, they store information about a virus, malware or ransomware that the computer has already picked up in its previous scan to safeguard against another malicious attack.

However, these types of antiviruses (AVs) prove to be very ineffective in protecting users from malicious cyberattacks in real time.

“The biggest problem is that when you look at how malware or non-malware, ransomware and these things move; they move at a very fast pace. So they’re coming up with different techniques and procedures and new ways of attacking systems on a daily basis. If you look at signature-based antiviruses, they basically count on the user to update. But if you look at what users do, they might miss a day or two, etc. and that’s the biggest potential threat,” Hart adds.

Hart explains that one of the most effective AV programs to use in order to ensure real-time protection against malicious software and cyberattacks would be ‘next generation’ antivirus programs (NGAV).

She further explains that NGAVs are effective at protecting users against all types of attacks. This is due to their systematic-centric, cloud-based approach. NGAVs make use of predictive analytics driven by machine learning and artificial intelligence, as well as threat intelligence, to detect and prevent malware attacks.

The NGAV system use machine learning to identify malicious behaviours from unknown sources, and collect and analyse endpoint data in order to respond to new and emerging threats that normally go unnoticed in traditional AVs.

Further, Hart warns users to not download and/or install pirated and illegal software as this poses a security risk to users and companies whose systems might get infected. The malware is not only limited to windows users but attacks macOS as well as Android users.

OFM News/Bambatha Giko