Recently, network security experts discovered a new malicious network virus. By adding a malicious extension program to the browser, the victim can click on the online advertisement, thus bringing income to criminals According to the analysis of security experts in the network security store red canary, the virus is called chromeloader. Once the device is infected, it is difficult to find and delete it
In windows On the platform, the malicious virus will use PowerShell to add malicious extensions to the victim's Chrome browser; On the MacOS platform, it uses bash to launch the same attack against safari. Aedan Russell, the detection engineer of red canary, introduced the malicious program in detail in his blog post.
Once the malicious extension program injected by chromeloader is added to the victim's browser, it will redirect users through online advertising, thus bringing income to criminals. Russell told the register that it is not common for windows chromeloader to use PowerShell to insert more malicious chrome extensions.
Russell said:
Chromeloader developers have found an effective way to collect advertising revenue by using Chrome's legitimate developer command line parameters.
Loading web browser extensions through PowerShell (and doing so silently) shows a higher than standard concealment, because other malicious browser extensions are usually introduced by luring users to publicly install them, usually disguised as legitimate browser extensions.
Chromeloader obtains initial access to the system by distributing it as an ISO file that looks like a seed file or a cracked video game. According to red canary, it spreads through pay as you install sites and social media networks such as twitter.