A new campaign involving the ChromeLoader malware has been discovered, targeting visitors of warez and pirated movie sites. The campaign, named Shampoo, is a variant of the search hijacker and adware browser extension.
The operation, which began in March 2023, was identified by HP’s threat research team (Wolf Security). ChromeLoader is a browser hijacker that installs browser extensions to redirect search results and promote unwanted software, surveys, adult games, and other irrelevant content.
This latest campaign follows previous instances of ChromeLoader distribution, including a spike reported by Red Canary in February 2022, which expanded its scope to include macOS.
In September, VMware and Microsoft warned of a massive ChromeLoader campaign that included the ability to drop additional malware, including ransomware. More recently, in February 2023, security researchers discovered a campaign where ChromeLoader was distributed in VHD files named after popular video games.
In the current campaign, ChromeLoader is distributed through malicious websites promising free downloads of copyrighted media. Instead of legitimate files, victims unknowingly download VBScripts that execute PowerShell scripts, setting up a scheduled task for persistence. This triggers a series of scripts that download a new PowerShell script into the host’s registry and fetch the Shampoo extension.
Shampoo, a variant of ChromeLoader, injects advertisements on websites and redirects search queries, aiming to generate revenue.
Removing ChromeLoader Shampoo is challenging, as the malware relies on looping scripts and a Windows scheduled task for reinstallation. Victims are advised to remove scheduled tasks prefixed with “chrome_” and delete the registry key “HKCU\Software\Mirage Utilities”.
Rebooting the computer is also recommended. HP warns that corporate environments infected with ChromeLoader may hesitate to seek help from their IT departments due to concerns about violating company policies. However, the threat should not be underestimated, as the trojan can potentially cause more significant damage, and users should take immediate action to remove the malware.
