Evolving Malware Attacks: The ChromeLoader Shampoo Campaign

Written By Joel Lee

The ChromeLoader campaign continues to evolve, with the discovery of the Shampoo browser extension variant. This article highlights the distribution method and behaviour of the Shampoo browser extension, a ChromeLoader variant that injects advertisements and redirects search queries. The campaign targets warez and pirated movie site visitors, exploiting their desire for free downloads.

Attack Details

  • Attack Type: Malware Delivery, Phishing, Misconfiguration

  • Targeted Platform: Web browsers (specifically Google Chrome)

  • Tactics: Exploiting default configuration, social engineering, deceptive downloads, ad injection

  • Potential Impact: Compromised systems, unauthorized access to personal information, data theft 

The ChromeLoader Shampoo campaign leverages malicious websites offering free downloads of copyrighted media to distribute the malware. Upon visiting these sites, victims unknowingly download VBScripts, which execute PowerShell scripts responsible for setting up a scheduled task for persistence.

Infection Chain

The Shampoo malware is distributed through malicious websites that promise free downloads of copyrighted music, movies, or video games. Instead of legitimate media files or software installers, victims unknowingly download VBScripts. These scripts execute PowerShell scripts, which set up a scheduled task prefixed with "chrome_" for persistence. This scheduled task triggers a series of scripts that download a new PowerShell script into the host's registry under "HKCU:\Software\Mirage Utilities". Simultaneously, the malicious Chrome extension, Shampoo, is fetched and installed.

The Shampoo browser extension is a variant of ChromeLoader and exhibits the following behaviours:

  • Ad Injection: Shampoo injects advertisements on websites visited by the victim, potentially disrupting their browsing experience.

  • Search Query Redirection: Searches from the browser address bar or Google are first redirected to the website "ythingamgladt[.]com" and then to Bing search results.

  • Prevention of Extension Removal: Shampoo prevents users from accessing the Chrome extension screen. Any attempts to do so redirect users to the Chrome settings screen.

  • Financial Motivation: The adware's operation aims to generate revenue through search redirects and advertisements.

Recommended Mitigation

  • Remove Malicious Tasks: Check for any scheduled tasks prefixed with "chrome_" and delete them. Legitimate Chrome tasks are typically prefixed with "Google."

  • Delete Registry Key: Remove the registry key "HKCU\Software\Mirage Utilities" associated with the malware.

  • Reboot Your Computer: Restart your computer to temporarily disable the ChromeLoader Shampoo malware.

 If necessary:

  • Delete Suspicious Folder: If present, delete the folder 'C:\Users<user>\appdata\local\chrome_test' to remove associated PowerShell scripts.

In conclusion, the ChromeLoader campaign continues with the distribution of the Shampoo browser extension variant. This campaign targets users seeking free downloads of copyrighted media from malicious websites. The Shampoo extension injects ads and redirects search queries, causing disruptions in the browsing experience. Removing the malware requires specific steps to remove scheduled tasks, delete registry keys, and potentially delete associated folders. Users should remain cautious and avoid downloading software from doubtful sources, as adware can pose significant risks to systems and may attempt more damaging actions in the future.

Joel Lee
Previous

Detriments of Ransomware Threats: BlackCat’s New Attack Vector
Next

Evolving Malware Attacks: A Microsoft Teams’ Vulnerability