Threat actors behind the ChromeLoader browser hijacking and adware campaign are now using VHD files disguised as hacks or cracks for popular Nintendo and Steam games.
According to a recent report from Ahnlab Security Emergency Response Center (ASEC), among the game titles and software abused for adware distribution purposes are Elden Ring, ROBLOX, Dark Souls 3, Red Dead Redemption 2, Need for Speed, Call of Duty, Portal 2, Minecraft, Legend of Zelda, Pokemon, Mario Kart, Animal Crossing, Microsoft Office, and more.
First spotted in January 2022, ChromeLoader (also known as Choziosi Loader and ChromeBack) is a multi-staged malware designed to compromise internet browsers and alter the victim’s browser settings to direct traffic to dubious advertising websites. The malware can even conduct browser hijacking to compromise the user’s password and login information. The threat actors behind ChromeLoader use multiple initial infection vectors, and the malware’s variants target both macOS and Windows.
The ASEC researchers discovered the malicious VHD files by querying Google for popular games and programs, which were distributed through multiple websites.
“When a VHD file is downloaded through this process, the user can easily mistake the malicious VHD file for a game-related program,” the researchers said. “Disguising malware as game hacks and crack programs is a method employed by many threat actors.”
While the malicious images include several files, only one of them, a shortcut called “Install.lnk,” is visible to users. Install.lnk runs the properties.bat file and the letter, in turn, decompresses a ZIP archive. Next, the properties.bat file executes “data.ini,” a VBScript, and a JavaScript that downloads ChromeLoader onto the system.
“Recently, there has been an increase in malware using disk image files. Disguising malware as game hacks and crack programs is a method employed by many threat actors. Users must be particularly cautious about executing files downloaded from unknown sources, and it is advised that users download programs from their official websites,” ASEC advised.