A new ChromeLoader malware campaign has been observed being distributed via virtual hard disk (VHD) files, marking a deviation from the ISO optical disc image format.
“These VHD files are being distributed with filenames that make them appear like either hacks or cracks for Nintendo and Steam games,” AhnLab Security Emergency response Center (ASEC) said in a report last week.
ChromeLoader (aka Choziosi Loader or ChromeBack) originally surfaced in January 2022 as a browser-hijacking credential stealer but has since evolved into a more potent, multifaceted threat capable of stealing sensitive data, deploying ransomware, and even dropping decompression bombs.
The primary goal of the malware is to compromise web browsers like Google Chrome, and modify the browser settings to intercept and direct traffic to dubious advertising websites. What’s more, ChromeLoader has emerged as a conduit to carry out click fraud by leveraging a browser extension to monetize clicks.
Since arriving on the scene, the malware has gone through multiple versions, many of them equipped with capabilities to break into both Windows and macOS systems. The shift to VHD files is yet another sign that the campaign has gone through many changes over the past few months.
The infection chain indicates that users looking for pirated software and video game cheats are the main targets, leading to the download of VHD files from fraudulent websites appearing on search results pages.
Some of the game titles and popular software used are Elden Ring, Dark Souls III, Red Dead Redemption 2, Need for Speed, Call of Duty, The Legend of Zelda: Breath of the Wild, Mario Kart 8 Deluxe, Super Mario Odyssey, Microsoft Office, and Adobe Photoshop.
“When a VHD file is downloaded through this process, the user can easily mistake the malicious VHD file for a game-related program,” ASEC researchers said. “Disguising malware as game hacks and crack programs is a method employed by many threat actors.”
To mitigate such risks, it’s recommended that users refrain from following suspicious links and download software only from official sources.