A new variant of the ChromeLoader malware, known as “Shampoo,” is being spread through fake websites that advertise pirated video games, films, and other goods. This malware is far from clean – it steals sensitive data, redirects searches, and injects ads into a victim’s browsing session. Researchers from HP Wolf Security have been tracking this new campaign, which has been active since March. The Shampoo malware is similar to the original ChromeLoader discovered in May 2022, but it has multiple persistence mechanisms that make it harder to remove.
The original ChromeLoader aimed to install a malicious Chrome extension for advertising purposes. It used a complex infection chain that began with victims downloading malicious ISO files from websites hosting illegal content. Similarly, the Shampoo campaign tricks victims into downloading and running malicious VBScript files. This leads to the installation of a malicious Chrome browser extension. The two campaigns share code similarities and both seek to monetize through advertising.
One key difference between Shampoo and the original ChromeLoader is the use of the browser’s Task Scheduler for persistence. Shampoo sets up a scheduled task to relaunch itself every 50 minutes, ensuring it remains active even after reboots or attempts to kill the script. This persistence mechanism is achieved through a PowerShell script that is executed by the Shampoo malware. The script downloads and installs the malicious ChromeLoader Shampoo extension, which then sends sensitive information back to a command and control (C2) server.
Users typically encounter Shampoo when they download illegal content from the internet, such as movies or video games, from websites that offer pirated files. They are tricked into running malicious VBScripts that they believe are the desired content. The Shampoo extension is heavily obfuscated and contains anti-debugging and anti-analysis traps, making it harder to detect. Once installed, the malware disables search suggestions, redirects search queries to the C2 server, and logs search data in Chrome’s local storage. It also prevents victims from accessing the extensions page in Chrome, likely to hinder removal attempts.
To prevent infection by the Shampoo variant, it is advised to avoid downloading pirated material or any files from untrusted websites. This is especially important for employees using Chrome in a corporate environment, as downloading such files could lead to the spread of malware throughout an organization. Configuring email gateway and security tool policies to block files from unknown external sources can provide additional protection.
The first version of ChromeLoader has evolved into a more dangerous threat, being used to drop ransomware, steal data, and crash systems in enterprises. While it is unclear if the Shampoo variant will be used in the same way, caution is advised. HP Wolf Security researchers have provided tips for avoiding infection and a list of indicators of compromise in their report.
In summary, the Shampoo variant of the ChromeLoader malware is being spread through fake websites advertising pirated content. It steals data, redirects searches, and injects ads into browsing sessions. Users should be cautious when downloading files from untrusted websites and should avoid pirated material altogether. By taking these precautions, individuals and organizations can protect themselves from this malicious campaign.