ChromeLoader Malware Poses as Steam, Nintendo Game Mods

Written by

Threat actors have been spotted distributing the ChromeLoader malware via files posing as Nintendo and Steam game cracks and mods.

According to security researchers from Asec, the malicious activity recently observed by the team relied on VHD disk image files.

“When a VHD file is downloaded through this process, the user can easily mistake the malicious VHD file for a game-related program,” reads an advisory published by the company on Thursday.

A list of filenames used in the distribution of the malware included several popular games, including Elden Ring, Red Dead Redemption 2 and Dark Souls 3.

Some of the observed files had also posed as popular software programs, including Microsoft Office and Adobe Photoshop.

“Everything except for the Install.lnk file has the hidden property enabled, so ordinary users will only see the Install.lnk file,” Asec wrote.

After victims click on that file, a series of steps are triggered, eventually leading to the download of ChromeLoader. The adware then uses a Chrome extension to perform malicious behaviors.

“The malicious extension created and executed by ChromeLoader redirects to an advertisement website and collects user browsing data through hijacking,” reads the Asec post. “It is capable of various features such as collecting browser credentials and modifying browser settings.”

The ChromeLoader attacks are indicative of an increase in malware using disk image files, according to the technical write-up.

“Disguising malware as game hacks and crack programs is a method employed by many threat actors,” the Asec team wrote.

“Since the previous year, there has been a steady increase in cases where disk image files, such as ISO and VHD, have been used in malware distribution.”

Because of this, the advisory warns users to be cautious about executing files downloaded from unknown sources.

“It is advised that users download programs from their official websites,” Asec concluded.

The research document comes weeks after ChromeLoader was mentioned in a ransomware technique analysis by Tim Wallen, regional director of UKI & BeNeLux at Logpoint.

What’s hot on Infosecurity Magazine?