A
new
ChromeLoader
malware
campaign
has
been
observed
being
distributed
via
virtual
hard
disk
(VHD)
files,
marking
a
deviation
from
the
ISO
optical
disc
image
format.
“These
VHD
files
are
being
distributed
with
filenames
that
make
them
appear
like
either
hacks
or
cracks
for
Nintendo
and
Steam
games,”
AhnLab
Security
Emergency
response
Center
(ASEC)
said
in
a
report
last
week.
ChromeLoader
(aka
Choziosi
Loader
or
ChromeBack)
originally
surfaced
in
January
2022
as
a
browser-hijacking
credential
stealer
but
has
since
evolved
into
a
more
potent,
multifaceted
threat
capable
of
stealing
sensitive
data,
deploying
ransomware,
and
even
dropping
decompression
bombs.
The
primary
goal
of
the
malware
is
to
compromise
web
browsers
like
Google
Chrome,
and
modify
the
browser
settings
to
intercept
and
direct
traffic
to
dubious
advertising
websites.
What’s
more,
ChromeLoader
has
emerged
as
a
conduit
to
carry
out
click
fraud
by
leveraging
a
browser
extension
to
monetize
clicks.
Since
arriving
on
the
scene,
the
malware
has
gone
through
multiple
versions,
many
of
them
equipped
with
capabilities
to
break
into
both
Windows
and
macOS
systems.
The
shift
to
VHD
files
is
yet
another
sign
that
the
campaign
has
gone
through
many
changes
over
the
past
few
months.
The
infection
chain
indicates
that
users
looking
for
pirated
software
and
video
game
cheats
are
the
main
targets,
leading
to
the
download
of
VHD
files
from
fraudulent
websites
appearing
on
search
results
pages.
Some
of
the
game
titles
and
popular
software
used
are
Elden
Ring,
Dark
Souls
III,
Red
Dead
Redemption
2,
Need
for
Speed,
Call
of
Duty,
The
Legend
of
Zelda:
Breath
of
the
Wild,
Mario
Kart
8
Deluxe,
Super
Mario
Odyssey,
Microsoft
Office,
and
Adobe
Photoshop.
“When
a
VHD
file
is
downloaded
through
this
process,
the
user
can
easily
mistake
the
malicious
VHD
file
for
a
game-related
program,”
ASEC
researchers
said. “Disguising
malware
as
game
hacks
and
crack
programs
is
a
method
employed
by
many
threat
actors.”
To
mitigate
such
risks,
it’s
recommended
that
users
refrain
from
following
suspicious
links
and
download
software
only
from
official
sources.
