ChromeLoader disguises Cracked Game VHD

Researchers have uncovered a malware campaign distributing the ChromeLoader using VHD files as a source.

ChromeLoader is a malicious Chrome browser extension, it is classified as a pervasive browser hijacker that modifies browser settings to redirect user traffic.

These VHD files are disguised as applications and hacks or cracks for popular Nintendo and Steam games,

ELDEN RING
Dark Souls 3
Red Dead Redemption 2
Call of Duty Deluxe Edition
Minecraft
The Legend of Zelda
Pokemon Ultra Moon
Animal Crossing New Horizons
Mario Kart 8 Deluxe

Advertisements

These files are discovered by querying Google for popular games and programs that they were distributed through multiple websites

Once upon installing the malicious files, they will install the ChromeLoader extension and redirect users to an advertisement website, and collect browsing data and credentials.

The malware is able to redirect the user’s traffic and hijack user search queries to popular search engines, including Google, Yahoo, and Bing. The malicious code is also able to use PowerShell to inject itself into the browser and add the extension to the browser.

The analysis of the VHD files revealed multiple hidden files except for the Install.lnk file. Upon clicking on the Install.lnk, the properties.bat file and the properties.bat file are executed.

These batch files execute “data.ini,” a VBScript, and a JavaScript, videos.exe that fetches the last-stage payload from a remote server

The videos.exe file has nw.exe inside of it and refers to the package.json to run the script designated by the main property. The script designated by the main property is the file start.html, which contains a malicious JS that has been obfuscated.