Overview
Shampoo is a new campaign that uses ChromeLoader, a malware loader that disguises itself as a Google Chrome update. ChromeLoader was first discovered in 2019, and has been used by various threat actors since then. Shampoo is the latest iteration of ChromeLoader, which was observed in June 2021. Shampoo uses a fake Chrome update website to trick users into downloading and executing a malicious executable file. The file then downloads and installs additional malware, such as ransomware, information stealers, or remote access trojans.
Root Cause
The root cause of Shampoo is the exploitation of users’ trust in Google Chrome and their lack of awareness of how to verify legitimate updates. Shampoo leverages social engineering techniques to lure users into visiting malicious websites that mimic the appearance of Google’s official update page. The websites use domain names that are similar to Google’s, such as googlechromes[.]net or googlechromes[.]org. The websites also display fake alerts and pop-ups that urge users to update their browser immediately. If users click on the update button, they are prompted to download and run an executable file named ChromeSetup.exe or Update.exe. This file is actually ChromeLoader, which acts as a dropper for other malware.
Security Impact
The security impact of Shampoo is significant, as it can compromise the confidentiality, integrity, and availability of users’ data and systems. Depending on the type of malware that ChromeLoader downloads and installs, Shampoo can cause various damages, such as:
Encrypting users’ files and demanding ransom for decryption (ransomware)
Stealing users’ credentials, personal information, and financial data (information stealers)
Allowing remote access and control of users’ devices by malicious actors (remote access trojans)
Installing additional malware or adware that can degrade system performance and expose users to more risks (malware downloader)
Recommendation
The best way to protect from Shampoo is to avoid falling for its social engineering tricks and to verify the legitimacy of any Chrome update notifications. Users should follow these best practices:
Always update Chrome from within the browser or from Google’s official website
Never download or run any files from unknown or suspicious sources
Check the domain name and URL of any website that claims to offer Chrome updates
Use a reputable antivirus or anti-malware software that can detect and block ChromeLoader and other malware
Educate themselves and others about the signs and risks of phishing and malware campaigns
By following these steps, users can reduce their chances of becoming victims of Shampoo and other ChromeLoader campaigns.
References
Comments