Skip to content

ChromeLoader caught using popular Steam and Nintendo games to lure victims

  • by
  • 2 min read
Photo: Hadrian / Shutterstock.com

Photo by Hadrian / Shutterstock.com

Operators of Chromeloader, a browser hijacking and adware malware, are moving towards using VHD files named after popular games and programs, a shift from previously preferred ISO files. This new set of files was discovered by researchers of the Ahnlab Security Emergency Response Center (ASEC) via Google search results for said games. 

The VHD files are presented to appear as cracks for popular Steam and Nintendo games, in addition to several popular programs such as Photoshop and Microsoft Office. Some games and programs abused in the campaign include the following: 

  • Adobe Photoshop 2023
  • Animal Crossing
  • Call of Duty
  • Dark Souls 3
  • Elden Ring
  • Mario Kart
  • Microsoft Office
  • Minecraft
  • Need for Speed
  • Pokemon Ultra
  • Portal 2
  • Red Dead Redemption
  • Roblox
  • Super Mario Odyssey
  • The Legend of Zelda

The files are being distributed by a network of malvertising sites pretending to be legitimate game packages that end up installing the malware. Chromeloader can take over the Google Chrome browser to show advertisements, hence sending revenue to the operators. Additionally, the ASEC report also states that it can modify the browser settings to collect credentials and browser data. 

Some malicious sites distributing VHD files containing the Chromeloader adware. | Source: ASEC

The operators are only moving to a VHD package, which can easily be mounted on a Windows machine and is also supported by multiple virtualisation programs, including VMware’s VirtualBox. These images are archived in a ZIP package that includes several hidden files, with a shortcut called ‘install.lnk’, which runs a batch script that deploys the archive’s contents when triggered. 

According to reports from Red Canary, malware has become more prevalent since May 2022. VMware also released a report in September 2022 stating that new variants were carrying out more sophisticated activities on infected, including delivering the Enigma ransomware in some cases. 

In the News: Fake Android, iOS 2FA apps might be leaking your secrets

>