An adware campaign targeting search engine requests that uses a malicious browser extension to launch its payload has been exposed by cybersecurity analyst Palo Alto.
“Despite using simple malicious advertisements, the malware became widespread, potentially leaking data from thousands of users and organizations,” said Palo’s threat intelligence wing Unit 42.
Dubbed ChromeLoader, the malware uses a browser extension that serves as both “adware and infostealer, leaking all of the user’s search engine queries.” Adware is usually a term used to describe software that generates unwanted ‘pop-up’ adverts, in this case deployed to capture users’ search data without their consent.
“The extension installs a listener, which allows it to intercept every outgoing request, and uses it to check whether the request was sent to a search engine – Google, Yahoo or Bing,” said Palo. “If it does, the extension will send the search details to the C2 [command and control servers used by the cybercriminals], leaking the victim’s thoughts and interests.”
Palo says the campaign has been active since the beginning of the year, though it only chose to publicly disclose its existence on July 12.
During its half-year of activity the campaign has evolved through different stages, as the malicious hackers behind it refined their coding to make the malware more effective, and Palo expects it will continue to do so.
“ChromeLoader is a multi-stage malware family,” it said. “Each variant contains different stages throughout its infection chain, but the infection chain often looks quite similar among the different variants, including malicious browser extensions used in all variants.”
Palo detected four in all: three variants that targeted Windows systems, and a fourth specifically aimed at Mac users.
The malware authors also used obfuscation techniques to cover their tracks, in this case “switch-case-oriented programming” that made their illicit activities harder for analysts to detect.
Despite such efforts, Palo Alto discovered the adware program after intercepting attacks on its customers, and were able to identify the cybercriminal campaign responsible.
“This malware demonstrates how determined cybercriminals and malware authors can be,” it said. “In a short time period, the authors of ChromeLoader released multiple different code versions, used multiple programming frameworks, enhanced features [and] obfuscators, fixed issues, and even added cross-OS [operating system] support targeting both Windows and MacOS.”
More from Cybernews:
Subscribe to our newsletter