eSentire’s TRU investigates ChromeLoader, a Chrome extension-based adware delivered via ISO shortcuts and activated through PowerShell to install the extension from the registry. The analysis highlights its persistence via Run keys, high-privilege browser manipulation, and ongoing updates across multiple customers. #ChromeLoader #Kaseya #more_eggs #PowerShell #ISO #ChromeLoaderExtension
Keypoints
- ChromeLoader is an adware-style extension loaded into Chrome using the –load-extension argument and stored in user AppData.n
- The threat is delivered via pirated content (software, video games, or eBooks) and distributed through various websites and social media platforms.n
- Initial delivery uses ISO files with a shortcut that executes a hidden batch file, which unpacks the malware and establishes persistence in AppDataRoaming via a Run key.n
- PowerShell is used in a staged process to load the ChromeLoader extension, including an XOR-encrypted C# source that is decrypted and executed.n
- The ChromeLoader extension gains high privileges (reading history, managing extensions, and page content manipulation) to inject ads and potentially redirect traffic or load more code.n
- TRU notes that ChromeLoader has shown continuous updates and has appeared across numerous customers/verticals; recommendations include better awareness of ISO files and enhanced endpoint protection.n
MITRE Techniques
- [T1059.001] PowerShell – The first stage PowerShell script is responsible for executing an XOR-Encrypted C# source file that is decompiled to install the ChromeLoader extension from registry. “The first stage PowerShell script is responsible for executing an XOR-Encrypted C# source file that is decompiled to install the ChromeLoader extension from registry.”
- [T1027] Obfuscated/Compressed Files and Information – The decryption routine base64 decodes then takes the first 5 bytes from the XOR-encrypted registry value. “The decryption routine base64 decodes then takes the first 5 bytes from the XOR-encrypted registry value.”
- [T1105] Ingress Tool Transfer – The PowerShell script also contains redundancy to retrieve code from the C2 (hxxps://evelopedsev[.]autos in this case) and write it to the registry should it be missing or removed. “The PowerShell script also contains redundancy to retrieve code from the C2 … and write it to the registry should it be missing or removed.”
- [T1547.001] Registry Run Keys/Startup Folder – The batch file unpacks the malware binary into the AppDataRoaming directory then establishes persistence using a Run key. “The batch file unpacks the malware binary into the AppDataRoaming directory then establishes persistence using a Run key (Figure 2).”
Indicators of Compromise
- [Hash] ChromeLoader Stage 1 PowerShell – 10CE7795E0D7D0AACB487A3C67A2F59F
- [Hash] ChromeLoader XOR-encrypted C# Source File – EA0FCD070E59389EEA6C280B5B582A18
- [Hash] ChromeLoader C# Source File – 5DEFEA9D05D5A2EBB03FBEAC464A948A
- [Domain] C2 Domain (Stage 1 PowerShell) – endevelopedsev[.]autos
- [Domain] C2 Domain (C# Source File) – asanttackl[.]autos
- [Domain] C2 Domain (Browser Extension) – usesianeduke[.]xyz
Read more: https://www.esentire.com/blog/chromeloader-observations-on-the-rise