Threat Research

Chromeloader browser hijacker

Securonix

ChromeLoader, also known as Choziosi Loader, has evolved through multiple versions since late 2021, complicating atomic indicator-based detections. The analysis tracks its execution chain from obfuscated PowerShell to a Chrome/Edge/Firefox extension, detailing its evasion techniques, C2 usage over QUIC, and observable indicators like domain and registry activity. #ChromeLoader #ChoziosiLoader #Withyourrety.xyz #GREASE

Keypoints

  • PowerShell-based loader starts the chain by executing an obfuscated script that downloads the malicious payload and begins the extension installation.
  • The embedded C# component reveals capabilities such as getGoogSearchUri, hookSearchNavigation, runChromeOrEdge, runFirefox, and runThread, indicating multi-browser support.
  • The malware targets Chrome, Edge, and Firefox and can hook any of them to intercept and modify browser behavior.
  • It primarily focuses on the user’s search activity, intercepting Google searches and redirecting them to Bing, and it also intercepts keystrokes.
  • The delivered extension is packed with permissions; the JavaScript is heavily obfuscated, with base64 strings and dynamic URL construction.
  • Operational evasion includes downloading, running, and deleting stagers, randomizing directories, and verifying writable Temp paths to evade detection.
  • Network behavior uses QUIC for C2 traffic, DNS queries to suspicious domains, and a set of indicators like a GREASE string and specific HTTP3-related settings.

MITRE Techniques

  • [T1059.001] PowerShell – Used to download and execute payload via obfuscated PowerShell. ‘execution of the obfuscated powershell that ultimately downloads the malicious extension on the host.’
  • [T1105] Ingress Tool Transfer – The initial PowerShell command downloads the first malicious payload from the installation server. ‘Running the script like this downloads a C# script from the installation server present in the command.’
  • [T1055] Process Injection – The stager is built in Temp, loaded into memory and run. ‘the stager is built and executed in the user’s Temp folder, and then deleted’ and ‘load it into memory and run it.’
  • [T1112] Modify Registry – The installer writes a registry key. ‘A new registry Key is added’ and ‘HKCU:SoftwareCodeSectorTera Copy.’
  • [T1027] Obfuscated/Compressed Files and Information – The initial PowerShell is heavily obfuscated. ‘the initial powershell is heavily obfuscated.’
  • [T1056.001] Keylogging – The extension intercepts keyboard input to aid navigation and results manipulation. ‘intercepts keystrokes to account for the users that use the keyboard to navigate the results.’
  • [T1071.004] DNS – The C2/traffic uses DNS queries to suspicious domains (Withyourrety.xyz, Freychang.fun). ‘Suspicious DNS Queries and responses: goog.withyourrety[.]xyz’ and ‘Freychang[.]fun: type A, class IN, addr …’

Indicators of Compromise

  • [File] 6A84FE906EBBEED933D7776731FE7118E1E028C1 – background.js, B7CD274E9C4036DC3F27D347A8428B40437A7AFA – manifest.json, E1DCD96B5D14141E2F6EE50246E68EE7499E4D87 – %AppData%Localdata.zip
  • [Path] %AppData%Localchrome_metric, %AppData%Localchrome_pref, and 15 more items in the AppDataLocalchrome* directories
  • [Domains] Mplayeran.autos, Withyourrety.xyz, Freychang.fun
  • [Registry] HKCUSoftwareCodeSectorTera Copy
  • [IP] 104.21.70.206, 172.67.139.75, 172.67.218.221
  • [Network Indicators] GREASE is the word; HEX: 9b8d047b7db70d45ca16cf225df6e36ce3dcb0bec41dee190f8f20c859de8861967d771e2f4d572f4f7f5dfc04d5d5

Read more: https://cybergeeks.tech/chromeloader-browser-hijacker/