VMware’s Carbon Black team warns that the ChromeLoader malware is now delivering malware such as ZipBomb and the Enigma ransomware to business services and government organizations.
ChromeLoader was initially observed targeting Windows users in January 2022 – a macOS variant was spotted in March – when it was being dropped as an ISO file and could leak users’ browser credentials, collect data on their online activities, and display ads by hijacking browser searches.
The threat is being distributed as pirated or cracked versions of applications or games, typically on social media platforms, pirating sites, torrents, and bundled with legitimate games and software.
Once executed on the victim’s machine, the malware uses scheduled tasks and modified registry keys to achieve persistence. The threat then attempts to load the Chrome extension chrome_zoom.
Since January, VMware’s security researchers have observed multiple variants of ChromeLoader, with some of the most notable ones including ‘opensubtitles-uploader.exe’ and ‘flbmusic.exe’, which mimic legitimate applications.
Over time, the initial infection technique has changed – with the ISO file running a batch script to install the main malware as a second stage payload – but the purpose of the attacks has remained the same: data harvesting and user tracking, complemented by adware delivery.
The most recent variants of ChromeLoader, VMware’s security researchers say, also deliver other malware families and can be used for additional nefarious purposes.
In late August, ZipBombs were being dropped on systems infected with ChromeLoader, embedded in the initial archive that the victim downloads. The ZipBomb is executed only if the user double-clicks it, which results in the system being overloaded with data and potentially destroyed.
“The ZipBomb, seen in ChromeLoader archives, is the classic and sophisticated – 42.zip, which is 42 kilobytes in size when compressed but over 40 petabytes when decompressed. This file has been seen under the names vir.exe, very_fun_game.zip, passwords.zip, AzizGame (1).zip, nudes.zip, unreleased_songs.zip, FreeNitro.zip, jaws2018crack.zip,” VMware explains.
Also starting late August, the Enigma ransomware has been seen in the ISO archive, distributed in the form of HTML attachments. When executed, it would launch the default browser to run embedded JavaScript code, and then proceed with its infection chain.
“This campaign has gone through many changes over the past few months, and we don’t expect it to stop. […] The majority of the infected [victims] are with the business services industry, seconded by government,” VMware concludes.
Related: New ‘Shikitega’ Linux Malware Grabs Complete Control of Infected Systems
Related: Chinese Cyberespionage Group Starts Using New ‘PingPull’ Malware
Related: New ‘Bumblebee’ Malware Loader Used by Several Cybercrime Groups