Threat Actors Are Hijacking Chrome Browsers

HP Inc. has issued its quarterly HP Wolf Security Threat Insights Report, showing threat actors are hijacking users’ Chrome browsers if they try to download popular movies or video games from pirating websites.

By isolating threats that have evaded detection tools on PCs, HP Wolf Security has specific insights into latest techniques being used by cybercriminals in the cybercrime landscape. To date, HP Wolf Security customers have clicked on more than 30 billion email attachments, web pages, and downloaded files with no reported breaches.

Based on data from millions of endpoints running HP Wolf Security, the researchers found:

  • The Shampoo Chrome extension is hard to wash out – A campaign distributing the ChromeLoader malware tricks users into installing a malicious Chrome extension called Shampoo. It can redirect the victim’s search queries to malicious websites or pages that will earn the criminal group money through ad campaigns. The malware is persistent, using Task Scheduler to re-launch itself every 50 minutes.
  • Attackers bypass macro policies by using trusted domains – While macros from untrusted sources are disabled, HP saw attackers bypass these controls by compromising a trusted Office 365 account, setting up a new company email, and distributing a malicious excel file that infects victims with the Formbook infostealer.
  • Firms must beware of what lurks beneath – OneNote documents can act as digital scrapbooks, so any file can be attached within. Attackers take advantage of this to embed malicious files behind fake “click here” icons. Clicking the fake icon opens the hidden file, executing malware to give attackers access to the users’ machine – this access can be sold on to other cybercriminal groups and ransomware gangs.

Sophisticated groups like Qakbot and IcedID first embedded malware into OneNote files in January. With OneNote kits available on cybercrime marketplaces and requiring little technical skill to use, their malware campaigns look set to continue over the coming months.

“To protect against the latest threats, we advise that users and businesses avoid downloading materials from untrusted sites, particularly pirating sites. Employees should be wary of suspicious internal documents and check with the sender before opening. Organizations should also configure email gateway and security tool policies to block OneNote files from unknown external sources,” cautioned Patrick Schläpfer, malware analyst at the HP Wolf Security threat research team, HP Inc

From malicious archive files to HTML smuggling, the report also shows cybercrime groups diversify attack methods to bypass email gateways, as threat actors move away from Office formats.

“To protect against increasingly varied attacks, organizations must follow zero-trust principles to isolate and contain risky activities such as opening email attachments, clicking on links, or browser downloads. This greatly reduces the attack surface along with the risk of a breach,” said Dr. Ian Pratt, global head of security for personal systems at HP Inc.

HP Wolf Security runs risky tasks like opening email attachments, downloading files and clicking links in isolated, micro-virtual machines (micro-VMs) to protect users. It also captures detailed traces of attempted infections. HP’s application isolation technology mitigates threats that might slip past other security tools and provides unique insights into novel intrusion techniques and threat actor behavior.

For more information, visit: