Be on the lookout for this malware that hijacks your browser and generates bogus search results

Popup link.
(Image credit: Getty images)

Researchers at RedCanary (thanks, bleepingcomputer) have noticed an uptick in ChromeLoader activity since the beginning of the year. This malware can completely take over your browser, manipulating search results in an effort to get you to click into a network of shady malicious sites and potentially steal your user data. 

This nasty bit of malware is what is called a browser hijacker. It changes a user's browser settings to display search results and ads for bogus sites, surveys, and even adult games on both Windows PCs and macOS systems. Despite being called ChromeLoader, it does affect Apple Safari in addition to Google Chrome. 

According to RedCanary's research, the way ChromeLoader infiltrates most systems is by way of a malicious ISO archive file disguised as a cracked executable for a computer game or commercial software and distributed through torrent sites. Additionally, QR codes inside of Twitter posts promoting cracked Android games have also been found to contain links to ChromeLoader distributing sites.

In most cases, after being infected with a browser hijacker the user is redirected to a series of bad sites that are usually part of an affiliate network. Each visit to these sites funnels revenue to the malware's creator. ChromeLoader does that and more. 

RedCanary says that "ChromeLoader uses PowerShell to inject itself into the browser and add a malicious extension to it, a technique we don’t see very often (and one that often goes undetected by other security tools)."

RedCanary goes on to outline a worst case scenario for this kind of malware: "If applied to a higher-impact threat—such as a credential harvester or spyware—this PowerShell behavior could help malware gain an initial foothold and go undetected before performing more overtly malicious activity, like exfiltrating data from a user’s browser sessions." 

On Macs, ChromeLoader has a similar MO where once you double-click on the DMG file, its installer script takes over and the bad browser extension starts to do its thing. 

The best advice we can give is that if you frequent torrent sites, exercise an extra layer of caution when clicking on any links, and don't open any executable files you don't recognize. And if you see an advertisement for a cracked version of Cyberpunk 2070, just don't click on it. 

Image

<a href="https://www.pcgamer.com/windows-11-review/" data-link-merchant="pcgamer.com"" target="_blank">Windows 11 review: What we think of the new OS
<a href="https://www.pcgamer.com/how-to-install-windows-11/" data-link-merchant="pcgamer.com"" data-link-merchant="pcgamer.com"" target="_blank">How to install Windows 11: Safe and secure install
<a href="https://www.pcgamer.com/windows-11-release-date-features-specs-pricing/" data-link-merchant="pcgamer.com"" data-link-merchant="pcgamer.com"" data-link-merchant="pcgamer.com"" target="_blank">What you need to know before upgrading: Things to note before downloading the latest OS
<a href="https://www.pcgamer.com/windows-11-demands-tpm-20-and-heres-what-that-means-for-you/" data-link-merchant="pcgamer.com"" data-link-merchant="pcgamer.com"" data-link-merchant="pcgamer.com"" data-link-merchant="pcgamer.com"" target="_blank">Windows 11 TPM requirements: Microsoft's strict security policy explained

Jorge Jimenez
Hardware writer, Human Pop-Tart

Jorge is a hardware writer from the enchanted lands of New Jersey. When he's not filling the office with the smell of Pop-Tarts, he's reviewing all sorts of gaming hardware, from laptops with the latest mobile GPUs to gaming chairs with built-in back massagers. He's been covering games and tech for over ten years and has written for Dualshockers, WCCFtech, Tom's Guide, and a bunch of other places on the world wide web.