Security researchers from Ahnlab Security (ASEC) recently discovered that the operators of the ChromeLoader malicious ad campaign are now using “.vhd” files named after popular games to distribute. Previously, such campaigns were based on the distribution of similar “.iso” images.

Malicious files were discovered by one of the ASEC specialists through the results of a Google search for free downloads of popular games.

Google search results with links to sites with malware

Among the games used to distribute the above software are: Elden Ring, ROBLOX, Dark Souls 3, Red Dead Redemption 2, Need for Speed, Call of Duty, Portal 2, Minecraft, Legend of Zelda, Pokemon, Mario Kart, Animal Crossing and others.

A network of malicious sites distributes virtual disk images that look like legitimate game installation packages. However, when they try to launch, they install a malicious ChromeLoader extension in the Chromium-based browser. This extension intercepts browser search queries to display ads, and also changes its settings to collect a range of user data.

According to Red Canary, this malware spread widely in May 2022. And in September, VMware announced new iterations of malware that perform more complex network actions. In some cases, attackers distributed Enigma ransomware in this way.

In 100% of the cases seen last year, ChromeLoader was delivered to the target system as a virtual disk file with the “.iso” extension. Recently, however, for some reason, operators prefer files with the “.vhd” extension. Both options for virtual disks, starting with Windows 10, can be mounted in the system without installing additional software.

Such images usually contain a number of files, but most of them are hidden from the user’s eyes. As a rule, only a shortcut called “Install.lnk” is visible. Running the shortcut starts a batch script that unpacks the contents of the ZIP archive inside the image. The payload is loaded from a remote resource.

Contents of the malicious “.vhd” file

According to ASEC, once installed, ChromeLoader starts redirecting users to advertising sites, thereby generating revenue for its operators. Actions are far from the most malicious, but pleasant is still not enough.

The researchers note that the addresses on which the payload ChromeLoader are currently unavailable. However, this does not mean that cybercriminals are no longer distributing a new version of adware with other sources to download the payload.

Users are advised to avoid downloading hacked games and software from unofficial sources. And it’s better to stay away from “cracked” products in principle, since it is in them that attackers usually embed malware.