The link in the email points to a fake Word page where the user is pre-set and only the password needs to be entered. Warning, it's a scam!
ChromeLoader has at least four variants. Palo Alto Network Unit 42 cybersecurity experts: Malware authors used a browser extension as their final payload. It serves as adware and an infostealer
ChromeLoader (aka Choziosi Loader and ChromeBack) has at least four variants. They have been discovered by Palo Alto Networks Unit 42 cybersecurity experts. Instead of more traditional cybercrime malicious codes like a Windows executable (.exe) or Dynamic Link Library (.dll), the malware authors used a browser extension as their final payload. It serves as adware and an infostealer, leaking all of the user’s search engine queries. Since January 2022, researchers detected four evolutions:
- Variant 0: It used AutoHotKey (AHK)-compiled executables and version 1.0 of the Chrome extension. Its first known attack occurred in December. In this article, this variant is discussed fourth (in the section titled “The Real First Windows Variant”).
- Variant 1: It used versions 2.0-4.4 of the Chrome extension as its payload and a DotNet executable that launches obfuscated PowerShell as its dropper. It was mainly active in January.
- Variant 2: It uses the 6.0 version of the Chrome extension and uses an obfuscated executable as its initial dropper. It has been active since March.
- MacOS Variant: It focuses on MacOS computers (while other variants target Windows users only). Uses the 6.0 version of the extension. Active since March.