Sunday, April 14, 2024
HomeSECURITYthe new version of ChromeLoader "Shampoo" is firmly and permanently stored in...

the new version of ChromeLoader “Shampoo” is firmly and permanently stored in the system


This shampoo is hard to wash off: the new version of ChromeLoader “Shampoo” is firmly and permanently stored in the system

By installing a malicious Google Chrome extension, Shampoo remains on the system even after disabling the script.

HP Wolf Security Research Team discovered new version of malware ChromeLoader, dubbed “Shampoo”, which is distributed through fake sites offering pirated video games, movies, and other content. Shampoo steals sensitive data, redirects search queries, and injects ads into the victim’s browser.

Researchers at HP Wolf Security have been tracking this campaign, which has been distributing a new variant since March. ChromeLoader . However, Shampoo is more difficult to remove from the system due to several persistence mechanisms.

The Shampoo infection chain begins with the victim downloading and running malicious VBScript files from pirate sites that offer movies, video games, and other illegal content. This results in the installation of a malicious Chrome ad extension. The latest campaign is very similar to the ChromeLoader campaign in terms of infection chain, distribution, and purpose, with the two versions sharing similarities in code and ad monetization features.

Chain of infection Shampoo

One of Shampoo’s standout features is how it uses the browser’s task scheduler to achieve persistence by setting a scheduled task to re-run itself every 50 minutes.

Script PowerShell sets up a scheduled task that runs a looping script every 50 minutes that downloads and runs another PowerShell script. This script downloads and installs the ChromeLoader Shampoo extension, which, after joining a Chrome session, starts sending sensitive information back to the command and control (C2) server. This persistence mechanism allows Shampoo to remain active even if the user or device security terminates the script.

The installed extension is heavily obfuscated and contains many protections against debugging and analysis. The researchers believe that the author of the extension used a free online JavaScript obfuscator to make the malware hard to detect.

Other actions that Shampoo performs on the victim’s computer include:

  • disable search suggestions in the address bar;
  • search query redirection Google, Yahoo and Bing to C2 server;
  • recording the last search query of the victim in the local storage of Chrome;
  • redirecting the victim from the path “chrome://extensions” to “chrome://settings”, probably to prevent the removal of the extension

The persistence mechanism that sets up a scheduled cyclic job also unregisters the list of jobs prefixed with “chrome_” (for example, “chrome engine”, “chrome policy”, and “chrome about”). This is probably done to remove any previous or competing version of ChromeLoader.

To avoid Shampoo infection, users should be careful about downloading files from untrustworthy sites and avoid using pirated content. Organizations should also set up their security tools to block potentially harmful files from unknown sources.

ChromeLoader is a browser hijacker capable of modifying the victim’s browser settings so that search results display resources with unwanted software, fraudulent promotions and research, adult games, and dating sites. Its operators make a profit by redirecting user traffic to advertising sites. What distinguishes ChromeLoader from other interceptors of this kind is its ability to persist on the system, the scale of attacks, and its aggressive use of PowerShell.

Source link


Please enter your comment!
Please enter your name here

Most Popular