New research from HP Wolf security researchers claims a new ChromeLoader campaign has been underway since March affecting users of movie and video game pirating websites.
The browser hijacker tricks victims into installing a malicious extension called Shampoo, which then redirects users’ search queries to malicious websites.
The researchers found the malware to be re-launching itself via Task Scheduler on victims’ machines every 50 minutes, claiming that “victims are having a difficult time getting rid of this malware because it has multiple persistence mechanisms.”
ChromeLoader malware
Beyond its persistence mechanisms, HP states that its multiple evasion techniques make it hard to break down: “The extension is heavily obfuscated and contains many anti-debugging and anti-analysis traps.”
Even so, the HP Wolf team highlights the similarities between Shampoo and other ChromeLoader versions, pinpointing a specific typo in the code that leads it to believe that it could be linked to another version previously witnessed, giving some hope for justice.
Beyond the Chrome extension malware, this version of the company’s quarterly HP Wolf Security Threat Insights Report shared information about attackers bypassing macro policies by hijacking legitimate Office 365 accounts, urging potential victims to pay attention to what lurks beneath a seemingly legitimate facade.
HP’s global head of security for personal systems, Dr Ian Pratt, said: “To protect against increasingly varied attacks, organizations must follow zero trust principles to isolate and contain risky activities such as opening email attachments, clicking on links, or browser downloads. This greatly reduces the attack surface along with the risk of a breach.”
Naturally, the company is keen to push its own antivirus and cybersecurity software, but more broadly it’s common practice to install preventative tools like firewalls in order to secure systems as best as possible.