ChromeLoader malware campaign punishes pirating users, HP warns
Threat actors are hijacking users’ Chrome browsers if they try to download movies or video games from pirating websites.
This is according to HP Inc.’s quarterly HP Wolf Security Threat Insights Report based on data from millions of endpoints running HP Wolf Security.
Research highlighted the impact of Shampoo Chrome extension.
HP explained: “(This is a) campaign distributing the ChromeLoader malware (that) tricks users into installing a malicious Chrome extension called Shampoo. It can redirect the victim’s search queries to malicious websites, or pages that will earn the criminal group money through ad campaigns. The malware is highly persistent, using Task Scheduler to re-launch itself every 50 minutes.”
According to the report, attackers bypass macro policies by using trusted domains.
“While macros from untrusted sources are now disabled, HP saw attackers bypass these controls by compromising a trusted Office 365 account, setting up a new company email, and distributing a malicious excel file that infects victims with the Formbook infostealer.”
HP said firms must beware of what lurks beneath. “OneNote documents can act as digital scrapbooks, so any file can be attached within. Attackers are taking advantage of this to embed malicious files behind fake “click here” icons. Clicking the fake icon opens the hidden file, executing malware to give attackers access to the users’ machine – this access can then be sold on to other cyber criminal groups and ransomware gangs.”
Sophisticated groups like Qakbot and IcedID first embedded malware into OneNote files in January.
With OneNote kits now available on cyber crime marketplaces and requiring little technical skill to use, their malware campaigns look set to continue over the coming months, the company added.
Patrick Schläpfer, malware analyst at the HP Wolf Security threat research team, said, “To protect against the latest threats, we advise that users and businesses avoid downloading materials from untrusted sites, particularly pirating sites. Employees should be wary of suspicious internal documents and check with the sender before opening. Organisations should also configure email gateway and security tool policies to block OneNote files from unknown external sources.”
From malicious archive files to HTML smuggling, the report also shows cyber crime groups continue to diversify attack methods to bypass email gateways, as threat actors move away from Office formats.
Dr Ian Pratt, global fead of security for personal systems, HP Inc., said, “To protect against increasingly varied attacks, organisations must follow zero trust principles to isolate and contain risky activities such as opening email attachments, clicking on links, or browser downloads. This greatly reduces the attack surface along with the risk of a breach.”