Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

VMware Warns of ‘ChromeLoader’ Delivering Ransomware, Destructive Malware

VMware’s Carbon Black team warns that the ChromeLoader malware is now delivering malware such as ZipBomb and the Enigma ransomware to business services and government organizations.

VMware’s Carbon Black team warns that the ChromeLoader malware is now delivering malware such as ZipBomb and the Enigma ransomware to business services and government organizations.

ChromeLoader was initially observed targeting Windows users in January 2022 – a macOS variant was spotted in March – when it was being dropped as an ISO file and could leak users’ browser credentials, collect data on their online activities, and display ads by hijacking browser searches.

The threat is being distributed as pirated or cracked versions of applications or games, typically on social media platforms, pirating sites, torrents, and bundled with legitimate games and software.

Once executed on the victim’s machine, the malware uses scheduled tasks and modified registry keys to achieve persistence. The threat then attempts to load the Chrome extension chrome_zoom.

Since January, VMware’s security researchers have observed multiple variants of ChromeLoader, with some of the most notable ones including ‘opensubtitles-uploader.exe’ and ‘flbmusic.exe’, which mimic legitimate applications.

Over time, the initial infection technique has changed – with the ISO file running a batch script to install the main malware as a second stage payload – but the purpose of the attacks has remained the same: data harvesting and user tracking, complemented by adware delivery.

The most recent variants of ChromeLoader, VMware’s security researchers say, also deliver other malware families and can be used for additional nefarious purposes.

In late August, ZipBombs were being dropped on systems infected with ChromeLoader, embedded in the initial archive that the victim downloads. The ZipBomb is executed only if the user double-clicks it, which results in the system being overloaded with data and potentially destroyed.

Advertisement. Scroll to continue reading.

“The ZipBomb, seen in ChromeLoader archives, is the classic and sophisticated – 42.zip, which is 42 kilobytes in size when compressed but over 40 petabytes when decompressed. This file has been seen under the names vir.exe, very_fun_game.zip, passwords.zip, AzizGame (1).zip, nudes.zip, unreleased_songs.zip, FreeNitro.zip, jaws2018crack.zip,” VMware explains.

Also starting late August, the Enigma ransomware has been seen in the ISO archive, distributed in the form of HTML attachments. When executed, it would launch the default browser to run embedded JavaScript code, and then proceed with its infection chain.

“This campaign has gone through many changes over the past few months, and we don’t expect it to stop. […] The majority of the infected [victims] are with the business services industry, seconded by government,” VMware concludes.

Related: New ‘Shikitega’ Linux Malware Grabs Complete Control of Infected Systems

Related: Chinese Cyberespionage Group Starts Using New ‘PingPull’ Malware

Related: New ‘Bumblebee’ Malware Loader Used by Several Cybercrime Groups

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Ransomware

A SaaS ransomware attack against a company’s Sharepoint Online was done without using a compromised endpoint.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.