Shampoo ChromeLoader Variant Difficult to Wash Out

A new version of the infamous browser extension is spreading through files on websites offering pirated wares and leverages unique persistence mechanisms.

Fake websites advertising pirated video games, films, and other wares are spreading a new variant of the ChromeLoader malware dubbed Shampoo, that is anything but clean: It steals sensitive data, redirects searches, and injects ads into a victims browser session.
Researchers
from HP Wolf Security
have been tracking the new campaign, which appears to have been active since March and distributes malware similar to the
original ChromeLoader
— first discovered in May 2022 — but thats noticeably harder to wash out of the proverbial IT hair thanks to multiple persistence mechanisms, they said.
The goal of the first version of ChromeLoader was to install a malicious Chrome extension for advertising, a process that includes a particularly complex infection chain that begins with victims downloading malicious ISO files from websites hosting illegal content that hijack browsers, wrote Jack Royer, an HP malware analyst intern, in a
post
on the HP Threat Research Blog published this week.
ChromeLoader used in the Shampoo campaign is very similar; it tricks victims into downloading and running malicious VBScript files from websites, eventually leading to the installation of a malicious Chrome browser extension, he explained. This campaign is very similar to ChromeLoader, in terms of its infection chain, distribution, and objective, with the two sharing code similarities and the ad-monetization feature.
One notable feature of Shampoo thats different than the original ChromeLoader is how it uses the browsers Task Scheduler to achieve persistence, by setting up a scheduled task to re-launch itself every 50 minutes, they said.
The script runs a PowerShell script that sets up the scheduled task, running a looping script every 50 minutes that downloads and runs another PowerShell script, the researchers said. This script downloads and installs the malicious ChromeLoader Shampoo extension that, once attached to a Chrome session, starts sending sensitive information back to a command and control (C2) server.
This persistence mechanism allows the malware to remain active despite reboots or the script being killed by a security tool or user, Royer wrote.
Users who encountered Shampoo did so by downloading illegal content from the Internet, such as movies, video games, or other files, from websites that offer pirated files, the researchers said. Victims are tricked into running malicious VBScripts that they think are pirated wares — for example, Cocaine Bear.vbs or Your download is ready.vbs — which triggers the infection chain, the researchers noted.
The extension is heavily obfuscated and contains many anti-debugging and anti-analysis traps, with its author appearing to have used a free online
JavaScript obfuscator
to make the malware harder to detect, Royer wrote.
Other malicious activities that ChromeLoader Shampoo carries out on a victims machine include disabling search suggestions in the address bar; redirecting Google, Yahoo, and Bing searches to the C2; logging the victims last search query in Chromes local storage; and logging the last search query in Chromes local storage and preventing victims from accessing chrome://extensions by redirecting them to chrome://settings, likely to stop them from removing the extension, the researchers said.
The persistence mechanism that sets up the scheduled looping task also unregisters a list of tasks prefixed with chrome_ — such as chrome engine, chrome policy, and chrome about, the researchers noted. This is likely done to remove any previous or competing version of the same malware, Royer wrote.
Though the first version of ChromeLoader was similar to Shampoo in that it was mainly aimed at hijacking browser sessions and stealing victim data, it has since
evolved into a more dangerous threat
, with attackers now using it to drop ransomware, steal data, and crash systems at enterprises.
Its unclear if the Shampoo variant also will be leveraged in this way in the future. However, the researchers advised that people shouldnt take chances, and provided tips for how to avoid infection as well as a list of indicators of compromise in the post.
One obvious way to avoid compromise by the Shampoo variant is not to download pirated material from the Internet, and to avoid downloading any files from untrusted websites in general, they said. This is particularly true for employees using Chrome in a corporate environment, who should be particularly wary of downloading anything from the Internet via a corporate network (or onto a shared work/personal device), lest it spread throughout an organization.
Organizations should also configure email gateway and security tool policies to block files from unknown external sources as added protection, advised Patrick Schläpfer, malware analyst at the HP Wolf Security threat research team,
in a press statement
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Shampoo ChromeLoader Variant Difficult to Wash Out