Since May 2020, a continuous malware campaign has been roaming around the corner and affecting multiple browsers, including Microsoft Edge, Mozilla Firefox, Google Chrome, etc. Before jumping to the biggest threat to the users’ data due to an adware campaign, one must know what adware is? Adware is a programming application in which threat actors can display advertisements, or when a person opens up a website, ads are shown through pop-up windows or adverts displayed on the UI.
It is essential to mention here that a network security analyst, Palo Alto, recognized adware designed to target search domain requests using a malware browser extension to launch its payload. The malware, Dubbed ChromeLoader, is an extremely dangerous and pervasive browser hijacker. It uses simple malicious ads, redirects user traffic to advertisement sites, and harms organizations by stealing their confidential information, modifying the browser’s settings, and leaking it publically. The kind of malware exposed by Alto operates by a browser extension and appears to reveal the stolen search engine history. This malware also serves as both an information stealer and adware. This way, it is deployed to fetch the public’s search data without asking for their permission.
The question is, how does this malware work? In simple words, the extension installs a listener, blocks every outgoing request, and verifies the request sent to Yahoo, DuckDuckGo, or Google search engine. When it crosschecks the sent requests, the extension will automatically transfer the user’s search data to the C2 (it is the cyberattackers’ control servers to receive commands). Cybercriminals now have all the data and access to victims’ interests and preferences. On July 12, the existence of this adware campaign was finally revealed to the public, though this suspicious malware activity started at the start of 2022. During this time, the software has undergone several changes. Threat actors modify software coding from time to time to make it more malicious. Alto Palo thinks it will get refined more, and the process seems to continue.
Explaining further about ChromeLoader, Palo said that it is multi-stage malware consisting of multiple stages throughout its attacking chain. He identified four variants of ChromeLoader. Three were designed to attack Windows systems, and a fourth variant targeted the Mac operating system. Additionally, the malware creators used confusing techniques to hide their tracks. In the case of search engine stealing, they used a special coding called switch-case-oriented programming that allows cybercriminals to make it way harder for IT experts to detect.
It is necessary to detect and reduce these types of threats. The companies must provide additional security features to protect users from data breaches. It is also essential for enterprises to understand the malicious behaviors and give tools to encounter these cyber threats.
Read next: Vishing Scam Rates Are Getting Triple of Phishing Scams And Scammers are on the loose freely
It is essential to mention here that a network security analyst, Palo Alto, recognized adware designed to target search domain requests using a malware browser extension to launch its payload. The malware, Dubbed ChromeLoader, is an extremely dangerous and pervasive browser hijacker. It uses simple malicious ads, redirects user traffic to advertisement sites, and harms organizations by stealing their confidential information, modifying the browser’s settings, and leaking it publically. The kind of malware exposed by Alto operates by a browser extension and appears to reveal the stolen search engine history. This malware also serves as both an information stealer and adware. This way, it is deployed to fetch the public’s search data without asking for their permission.
The question is, how does this malware work? In simple words, the extension installs a listener, blocks every outgoing request, and verifies the request sent to Yahoo, DuckDuckGo, or Google search engine. When it crosschecks the sent requests, the extension will automatically transfer the user’s search data to the C2 (it is the cyberattackers’ control servers to receive commands). Cybercriminals now have all the data and access to victims’ interests and preferences. On July 12, the existence of this adware campaign was finally revealed to the public, though this suspicious malware activity started at the start of 2022. During this time, the software has undergone several changes. Threat actors modify software coding from time to time to make it more malicious. Alto Palo thinks it will get refined more, and the process seems to continue.
Explaining further about ChromeLoader, Palo said that it is multi-stage malware consisting of multiple stages throughout its attacking chain. He identified four variants of ChromeLoader. Three were designed to attack Windows systems, and a fourth variant targeted the Mac operating system. Additionally, the malware creators used confusing techniques to hide their tracks. In the case of search engine stealing, they used a special coding called switch-case-oriented programming that allows cybercriminals to make it way harder for IT experts to detect.
It is necessary to detect and reduce these types of threats. The companies must provide additional security features to protect users from data breaches. It is also essential for enterprises to understand the malicious behaviors and give tools to encounter these cyber threats.
Read next: Vishing Scam Rates Are Getting Triple of Phishing Scams And Scammers are on the loose freely
