Newly Discovered 'Shampoo' ChromeLoader Campaign Spreads via Warez Websites

Security researchers at Wolf Security, HP's threat research division, have uncovered a new strain of the notorious ChromeLoader browser hijacker. Dubbed "Shampoo," the malware variant is being distributed via pirated content websites, affecting visitors who download copyrighted video games, movies and music for free.

ChromeLoader has gained notoriety for its forceful installation of unwanted browser extensions, typically leading victims to undesirable and potentially harmful search results, ranging from software promotions and adult games to deceptive surveys, fake giveaways and dating websites.

Researchers discovered that the malicious campaign has been active since March 2023. The modus operandi involves victims downloading what they believe to be pirated content, which instead turns out to be malicious Visual Basic Scripts (VBScripts).

These VBScripts execute PowerShell scripts, setting off a chain of actions that eventually lead to the infection. The scripts initiate a persistent scheduled task prefixed with "chrome_," which triggers additional scripts to download and install "Shampoo," a new variant of ChromeLoader, onto the victims' systems.

Once installed, Shampoo hinders victims from accessing the extension menu on Google Chrome. Moreover, the malware uses looping scripts and Windows scheduled tasks to automatically reinstall the extension each time the user removes it or reboots their system. This makes removing the malware a tedious task, requiring swift action from the user before the looping script reinstalls the malware.

Wolf Security's team warns people of the risks associated with visiting pirate or warez websites and downloading content from them, given that they have become the leading distribution channels for this new malware variant.

Researchers strongly recommend using trusted sources for downloads and maintaining updated, reliable security software to protect against such threats. They also advise users to watch out for unexpected changes in their browsing experiences, as this may be a sign of a browser hijacker or other malware.

"The human factors of this campaign are worth highlighting. The malware does not hide itself. The victim will almost certainly notice ChromeLoader's presence," reads HP's report. "Despite this, users may be reluctant to ask their IT department for help to remove the malware. ChromeLoader is often delivered through malicious VBScript files that users download from websites hosting illegal content. Users may fear repercussions for breaking their organization's acceptable IT use policy."

To remove the Shampoo ChromeLoader variant from a compromised device, users must disable its persistence mechanism by following these steps:

1. Remove the chrome_ – prefixed scheduled task
2. Delete the HKCU:\Software\Mirage Utilities\ registry key
3. Restart the machine to temporarily disable the looping script

However, these steps must be performed quickly before the looping script can reinstall the malware.

Using specialized software like Bitdefender Ultimate Security can protect you against Shampoo, ChromeLoader, and other cyberthreats. Key features include:

• Continuous, all-around detection and protection against worms, viruses, Trojans, spyware, ransomware, zero-day exploits, rootkits, and other digital threats
• Behavioral detection module that closely monitors active apps and acts instantly upon detecting suspicious activity
• Web attack prevention technology that filters unsafe content by analyzing search results before you access them and blocking known infected links
• Network threat prevention module that detects and blocks suspicious network-level activities such as malware- or botnet-related URLs, sophisticated exploits, and brute-force attacks