The operators behind the ChromeLoader browser hijacking and adware campaign have switched from using ISO-based distribution to VHD files named after popular games, security researchers have found.
A network of malvertising sites distributes the malicious files which appear as legitimate game-related packages but install the ChromeLoader extension that hijacks the browser searches to show advertisements. The malware modifies the browser settings and collects credentials and browser data.
Previously, ChromeLoader arrived on the target system as an ISO file. However, the use of VHD packaging enables the files to be easily mounted on a Windows system and is supported by multiple virtualization software.
Among the game titles abused for adware distribution purposes are Elden Ring, ROBLOX, Dark Souls 3, Red Dead Redemption 2, Need for Speed, Call of Duty, Portal 2, Minecraft, Legend of Zelda, Pokemon, Mario Kart, Animal Crossing, and more.
According to Red Canary data, the malware became more prevalent in May 2022, while VMware reported new variants carrying out more sophisticated network activities in September 2022. In some cases, the actors even delivered the Enigma ransomware. ChromeLoader generates revenue for its operators by redirecting users to advertisement sites.
Users should be vigilant while downloading any game files and should only trust legitimate sources. Companies should have updated antivirus and firewalls in place to prevent ChromeLoader from infiltrating the system.