Search Engine Poison: Chrome Loader Malware

SEO Poisioning, a malware technique used by threat actors.

Understanding the patterns of malware can better help create detectors for automation and/or find malware in the wild — this can be file patterns or patterns seen with files downloaded that lead to additional malicious files and folders.

Chrome Loader malware has been seen after a user downloads a potentially unwanted program also known as (PUP) or a free wallpaper background for their desktop. Additional free downloads like cracked video games and pirated movies can also drop Chrome Loader without the user knowing what they delivered into their environment.

Alt text: Image above is a table that states Chrome Loader malware has a critical impact and medium risk.

Chrome Loader’s goal is to compromise a user’s browser like Chrome, and change the victim’s browser settings to direct traffic to untrustworthy websites with ads. It can even conduct browser hijacking to compromise the user’s password and login information.

In earlier 2022, Chrome extension as its payload, and dropped an obfuscated PowerShell executable. Executables that were used were:
CSinstaller.exe
Download.exe

Later on in 2022 the initial dropper is an obfuscated executable. The files below were initially the executables often seen with Chrome Loader malware:
Tone.exe
Bloom.exe
Energy.exe
Editor.exe

Now in 2023, free wallpaper executables are being seen in the users downloads folder that drop Chrome Loader malware onto the host. The files below have been seen:

2048x1503 Fall Colors North Carolina Mountains ___.exe
1680x1050 F1 HD Wallpaper and Background Image ___.exe
1280x800 Pastel Desktop Wallpapers — Top Free P___.exe

These Chrome Loader files were hosted on malicious websites were promoted and suggested using search engine poisoning techniques. Search engine poisoning means the threat actor is using specific keywords and phrases, attackers can make their malicious content appear more relevant and trustworthy to users than it actually is. The goal is to hijack the search engine results of popular websites and inject malicious links into them to boost their placement in search results.

If you have an internet browser keep redirecting you or getting ads, make sure to check what you downloaded last.

Places to check these folder locations for Chrome Loader malware:

<Username>\Downloads
%AppData%\Roaming
%AppData%\Local
%AppData%\Local\Temp

Recommendation: Don’t download simply just because it is free. Make sure where you are downloading files from is a reputable source.