A new malware called ChromeLoader is surging since its emergence earlier this year. The cybersecurity threat is a “pervasive and persistent browser hijacker that modifies its victims’ browser settings and redirects user traffic to advertisement websites,” Aedan Russell of Red Canary said in a new report.

ChromeLoader is a rogue Chrome browser extension and is typically distributed in the form of ISO files via pay-per-install sites and baited social media posts that advertise QR codes to video games and pirated movies.

The malware primarily hijacks user search queries to Google, Yahoo and Bing and redirects traffic to an advertising site. It also uses PowerShell to inject itself into the browser to get the extension added.

The malware, also known as Choziosi Loader, was first documented by G DATA earlier this February.

Karsten Hahn of G DATA says “For now the only purpose is getting revenue via unsolicited advertisements and search engine hijacking. But loaders often do not stick to one payload in the long run and malware authors improve their projects over time.”

Another tricky move ChromeLoader can execute is the ability to redirect victims from the Chrome extensions page if the user attempts to remove the add-on.

Additionally, researchers have discovered a macOS version of the malware that works against both Chrome and Safari browsers, effectively turning ChromeLoader into a cross-platform threat.

“If applied to a higher-impact threat – such as a credential harvester or spyware – this PowerShell behavior could help malware gain an initial foothold and go undetected before performing more overtly malicious activity, like exfiltrating data from a user’s browser sessions,” Russell notes.

Story via The Hacker News