ChromeLoader Disguised as Illegal Game Programs Being Distributed

Since the previous year, there has been a steady increase in cases where disk image files, such as ISO and VHD, have been used in malware distribution. These have been covered several times in previous ASEC blog posts. This post will cover a recent discovery of ChromeLoader being distributed using VHD files. These VHD files are being distributed with filenames that make them appear like either hacks or cracks for Nintendo and Steam games. Some of the filenames used in distribution are as follows. There are some paid software included in the filenames of some cracks.

• Filenames Used in Distribution
  ELDEN RING Free Download (v1_08_1).vhd
  Dark Souls 3 [FitGirl Repack]_part1_rar.vhd
  Red Dead Redemption 2 Free Download (v1_0_1436_28).vhd
  File_ Need for Speed Carbon Collectors Edition____.vhd
  File_ Call of Duty Deluxe Edition_zip ___.vhd
  File_ Portal_2_v2023_01_17_zip ___.vhd
  File_ Minecraft – Story Mode_Complete Season_zi___.vhd
  [NEW] ROBLOX _ Doors Script _ Hack _ Spawn Enti___.vhd
  The Legend of Zelda_ Breath of the Wild SWITCH ___.vhd
  Pokemon Ultra Moon_ Update 1_2 [Decrypted] 3DS ___ (1).vhd
  Animal-Crossing-New-Horizons-Switch-NSPNSZXCI-U___.vhd
  Mario Kart 8 Deluxe (NSP)(Booster Course DLC)(W___ (2).vhd
  Super Mario Odyssey Switch NSP+ Update Free Dow___.vhd
  Microsoft Office 2010 Free Download.vhd
  Adobe Photoshop 2023 Free Download.vhd

A Google search of any of the above filenames listed multiple websites distributing illegal programs such as game hacks and cracks at the very top of the results page. Downloading an illegal program from any of these websites would cause multiple malicious advertisement websites to appear. The VHD files are assumed to have been downloaded from one of these advertisement websites. Currently, a normal program (7zip installer) is downloaded.

When a VHD file is downloaded through this process, the user can easily mistake the malicious VHD file for a game-related program. The files inside the malicious VHD are shown below. Everything except for the Install.lnk file has the hidden property enabled, so ordinary users will only see the Install.lnk file.

Install.lnk runs the properties.bat file and the properties.bat file, in turn, decompresses the files.zip in the “%AppData%” path with a tar command. The files.zip file holds normal files and a malicious js file related to node-webkit(nw.js). node-webkit is a web application that uses Chromium and Node. It can be run through nw.exe and references data written in the package.json file. node-webkit is used in the following process utilizing these characteristics.

Afterwards, properties.bat runs the data.ini file and the videos.exe file that is created after decompression. First, data.ini is a VBScript command that creates a shortcut to videos.exe in the path “%AppData%\Microsoft\Windows\Start Menu\Programs\Startup\”.

The videos.exe file has nw.exe inside of it and refers to the package.json to run the script designated by the main property. The script designated by the main property is the file start.html, which contains a malicious JS that has been obfuscated.

Ultimately, the videos.exe file executes the malicious JS within start.html which connects to the below addresses and attempts to download ChromeLoader. Currently, the addresses cannot be accessed. ChromeLoader is an adware that performs malicious behaviors through a Chrome extension. The malicious extension created and executed by ChromeLoader redirects to an advertisement website and collects user browsing data through hijacking. It is capable of various features such as collecting browser credentials and modifying browser settings.

• irymountain.com[.]ua
• lesexwrecko[.]xyz
• alnormatic[.]xyz

Recently, there has been an increase in malware using disk image files. Disguising malware as game hacks and crack programs is a method employed by many threat actors. Users must be particularly cautious about executing files downloaded from unknown sources, and it is advised that users download programs from their official websites. AhnLab’s anti-malware product, V3, detects and blocks the malware using the alias below.

[File Detection]
Trojan/BAT.Runner.S2119 (2023.02.13.03)
Trojan/VBS.Runner.S2120 (2023.02.13.03)
Dropper/VHD.Agent (2023.02.16.00)
Trojan/HTML.Obfus (2023.02.16.00)

[IOC]
bdcb5c80a664d82a28469f9fce0fbb12
ae8ae62aa04f06d32c548c2ef493a39f
82024e7af52481e71760c9d119eb903f
3515115d7efa1ac42bd56bc9348cd4f8
irymountain.com[.]ua
lesexwrecko[.]xyz
alnormatic[.]xyz

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.