# See what it's like to have a partner in the fight. **redcanary.com/blog/chromeloader/** _Editor’s note: We’ve been researching this threat since early February. In recent days,_ _we’ve observed what appears to be a resurgence in ChromeLoader activity. As a result, this_ _research is based on analysis of threats spanning almost five months. That said, the_ _detection guidance in this report provides defense-in-depth against ChromeLoader and a_ _wide array of other threats._ ChromeLoader is a pervasive and persistent browser hijacker that modifies its victims’ browser settings and redirects user traffic to advertisement websites. This malware is introduced via an ISO file that baits users into executing it by posing as a cracked video game or pirated movie or TV show. It eventually manifests as a browser extension. Like most suspicious browser extensions, ChromeLoader is a relatively benign threat that hijacks user search queries and redirects traffic to an advertising site. However, [ChromeLoader uses PowerShell to inject itself into the browser and add a malicious](https://redcanary.com/threat-detection-report/techniques/powershell/) extension to it, a technique we don’t see very often (and one that often goes undetected by other security tools). If applied to a higher-impact threat—such as a credential harvester or spyware—this PowerShell behavior could help malware gain an initial foothold and go undetected before performing more overtly malicious activity, like exfiltrating data from a user’s browser sessions. ----- We first encountered this threat after detecting encoded PowerShell commands referencing a scheduled task called “ChromeLoader”—and only later learned that we were catching ChromeLoader in the middle stage of its deployment. ## A note on existing research In the process of writing this blog, we found two related articles that warrant a mention— and that are definitely worth reading: **Choziosi Loader: The folks at G-Data wrote a** [great article on a threat they call “Choziosi](https://www.gdatasoftware.com/blog/2022/01/37236-qr-codes-on-twitter-deliver-malicious-chrome-extension) Loader” that validates a lot of our own ChromeLoader findings. **The macOS variant: Once we knew about G-Data’s Choziosi naming convention, we** [discovered another excellent write-up by](https://www.th3protocol.com/2022/Choziosi-Loader) [Colin Cowie analyzing a macOS variant of](https://twitter.com/th3_protoCOL) ChromeLoader. In this article, we share important elements of the ChromeLoader infection chain and security guidance that you can apply to detect and hunt for ChromeLoader activity in your environment. While some of the information in this blog overlaps with existing research published by G-Data and Colin Cowie, we’re sharing new insights and guidance that security teams can use to develop behavioral analytics to detect ChromeLoader. ## Initial access ChromeLoader is delivered by an ISO file, typically masquerading as a torrent or cracked video game. It appears to spread through pay-per-install sites and social media platforms such as Twitter. ----- _Figure 1: Redacted screenshot of a Twitter post with scannable QR code leading to_ _ChromeLoader’s initial download site_ Once downloaded and executed, the .ISO file is extracted and mounted as a drive on the victim’s machine. Within this ISO is an executable used to install ChromeLoader, along with what appears to be a NET wrapper for the Windows Task Scheduler This is how ----- ChromeLoader maintains its persistence on the victim s machine later in the intrusion chain. _Figure 2:_ _[VirusTotal analysis on files dropped by malicious ISO](https://www.virustotal.com/gui/file/fa52844b5b7fcc0192d0822d0099ea52ed1497134a45a2f06670751ef5b33cd3/content)_ ## Execution and persistence Executing `CS_Installer.exe creates persistence through a scheduled task using the` Service Host Process ( svchost.exe ). Notably, ChromeLoader does not call the Windows Task Scheduler ( schtasks.exe ) to add this scheduled task, as one might expect. Instead, we saw the installer executable load the Task Scheduler COM API, along with a crossprocess injection into `svchost.exe (which is used to launch ChromeLoader’s scheduled` task). _Figure 3: Carbon Black console crossprocs and modloads of_ `CS_Installer.exe` ----- Figure 3 depicts the cross-process injection into `svchost.exe . Cross-process injection is` frequently used by legitimate applications but may be suspicious if the originating process is located on a virtual drive (like those that you’d expect an ISO file to mount on). It’s a good idea to keep an eye out for processes executing from file paths that don’t reference the default `C:\drive and that initiate a cross-process handle into a process that is on the` C:\drive. This will not only offer visibility into ChromeLoader activity, but also into the many worms that originate from removable drives and inject into `C:\drive processes, like` ``` explorer.exe, to propagate on a victim’s machine. ``` After the cross-process injection is complete, ChromeLoader’s scheduled task will execute [through svchost, calling the Command Interpreter ( cmd.exe ), which executes a Base64-](https://redcanary.com/threat-detection-report/techniques/command-scripting-interpreter/) encoded PowerShell command containing multiple declared variables. ChromeLoader uses the shortened `-encodedcommand flag to encode its PowerShell command:` _Figure 4: Encoded PowerShell content spawned by ChromeLoader’s scheduled task_ Once decoded and beautified, the command looks like this: ----- _[Figure 5: PowerShell CLI decoded and beautified by reddit user “Russianh4ck3r”](https://www.reddit.com/r/antivirus/comments/rvvc0d/comment/hrfpekt/?utm_source=share&utm_medium=web2x&context=3)_ ----- In this command, PowerShell checks if the ChromeLoader extension is installed. If the specific file path is not found, it will pull down an archive file from a remote location using ``` wget and load the contents as a Chrome extension. Once the extension is found, this ``` PowerShell command will silently remove the ChromeLoader scheduled task using the ``` Unregister-ScheduledTask function. ``` ChromeLoader then loads its extension into Chrome by using PowerShell to spawn Chrome with the `--load-extension flag and references the file path of the downloaded` extension. _Figure 6: PowerShell spawning Chrome_ Once loaded in Chrome, the malicious extension can execute its true objective: redirecting victim search results through malvertising domains and redirecting away from the Chrome extensions page if the user attempts to remove the extension. ## macOS Variation [In late April, Colin Cowie published an analysis of the macOS version of ChromeLoader,](https://www.th3protocol.com/2022/Choziosi-Loader) which is capable of loading malicious extensions into both the Chrome and Safari web browsers. After reading Colin’s blog, we retroactively analyzed some Red Canary threat detections that seemed to constitute partial execution of this variation from a published detection in late February. As illustrated below, ChromeLoader redirects an encoded command from a Bourne shell ( sh ) into a Bourne-again SHell ( bash ). The command itself searches for `Google Chrome process using grep, then loads the malicious extension` from `/private/var/tmp/ if the process is found.` ----- _Figure 7: Decoded Bash command loading malicious extension into Chrome_ The macOS variation has the same initial access technique as the Windows variant, namely that it uses baited social media posts with QR codes or links that direct users to malicious pay-per-install download sites. Instead of originating as an ISO, the macOS variation originates in an Apple Disk Image ( DMG ) file format. And unlike the Windows variation, the DMG file contains an installer script that drops payloads for either Chrome or Safari, not a portable executable file. When executed by the end user, the installer script then initiates cURL to retrieve a ZIP file containing the malicious browser extension and unzips it within the `private/var/tmp directory, finally executing Chrome with command-line options to` load the malicious extension. ----- _Figure 8: Bash script downloading and decompressing the ChromeLoader browser_ _extension. Image courtesy of Colin Cowie._ To maintain persistence, the macOS variation of ChromeLoader will append a preference ( plist ) file to the `/Library/LaunchAgents directory. This ensures that every time a` user logs into a graphical session, ChromeLoader’s Bash script can continually run. Once installed, ChromeLoader performs the same activity as it does on Windows machines: redirecting web traffic through advertising sites. ## Detection ### Detection opportunity 1: PowerShell containing a shortened version of the ``` encodedCommand flag in its command line ``` This pseudo detection logic looks for the execution of encoded PowerShell commands. Not all encoded PowerShell is malicious, but encoded commands are worth keeping an eye on. process_name == powershell.exe && command_line_includes (-e, -en, -enc, [going on sequentially until the full flag, `-` ``` encodedcommand ]) ``` ----- _Note: Many applications will legitimately encode PowerShell and make use of these_ _shortened flags. Some tuning may be required, depending on your environment. To refine_ _this detection analytic, consider looking for multiple variables in the decoded PowerShell_ _block paired with the use of a shortened_ `encodedCommand flag stated above. Variables are` _declared in PowerShell using_ `$ .` decoded_command_line_includes == $ ### Detection opportunity 2: PowerShell spawning chrome.exe containing ``` load-extension and AppData\Local within the command line ``` The detection analytic looks for instances of the Chrome browser executable spawning from PowerShell with a corresponding command line that includes `appdata\local as a` parameter. parent_process_name == powershell.exe && process_name == chrome.exe && command_line_includes ( AppData\Local, load-extension ) ### Detection opportunity 3: Shell process spawning process loading a Chrome extension within the command line This analytic looks for `sh or` `bash scripts running in macOS environments with command` lines associated with the macOS variant of ChromeLoader. parent_process_equals_any (sh || bash) && process_name_is_osx? && command_line_includes ( /tmp/ || `load-extension ||` `chrome )` ### Detection opportunity 4: Redirected Base64 encoded commands into a shell process Like the encoded PowerShell detection analytics idea above, this detector looks for the execution of encoded `sh,` `bash, or` `zsh commands on macOS endpoints.` command_line_includes ( echo, base64 ) && childproc_equals_any (sh,bash,zsh) _Note: As is the case with PowerShell, there are many legitimate uses for encoding shell_ _commands. Some tuning may be required, depending on your environment._ ----- ## Conclusion We hope this blog helps you improve your defense-in-depth against ChromeLoader specifically—but also for any variety of other threats that leverage suspicious ISO/DMG files and PowerShell/Bash execution. As always, each environment is different and certain administrative or user workflows may trigger your new detection analytics. Please be sure to tune accordingly. Happy hunting! Related Articles Detection and response ### Detecting suspicious email forwarding rules in Office 365 Detection and response ### Intelligence Insights: May 2022 Detection and response ### The Goot cause: Detecting Gootloader and its follow-on activity Detection and response ### Marshmallows & Kerberoasting **Subscribe to our blog** Our website uses cookies to provide you with a better browsing experience. More [information can be found in our Privacy Policy.](https://redcanary.com/privacy-policy) X **Privacy Overview** This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. ----- These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience. Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information. Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website. -----