ChromeLoader malware campaign punishes pirating users, HP warns
June 14 2023 - 8:00AM
HP Inc. (NYSE: HPQ) today issued its quarterly HP Wolf Security
Threat Insights Report, showing threat actors are hijacking users’
Chrome browsers if they try to download popular movies or video
games from pirating websites.
By isolating threats that have evaded detection tools on PCs, HP
Wolf Security has specific1 insight into the latest techniques
being used by cybercriminals in the fast-changing cybercrime
landscape. To date, HP Wolf Security customers have clicked on over
30 billion email attachments, web pages, and downloaded files with
no reported breaches.
Based on data from millions of endpoints running HP Wolf
Security2, the researchers found:
- The Shampoo Chrome
extension is hard to wash
out: A campaign distributing the
ChromeLoader malware tricks users into installing a malicious
Chrome extension called Shampoo. It can redirect the victim’s
search queries to malicious websites, or pages that will earn the
criminal group money through ad campaigns. The malware is highly
persistent, using Task Scheduler to re-launch itself every 50
minutes.
- Attackers bypass macro
policies by using trusted domains: While macros from
untrusted sources are now disabled, HP saw attackers bypass these
controls by compromising a trusted Office 365 account, setting up a
new company email, and distributing a malicious excel file that
infects victims with the Formbook infostealer.
- Firms must beware of what
lurks beneath: OneNote documents can act as digital
scrapbooks, so any file can be attached within. Attackers are
taking advantage of this to embed malicious files behind fake
“click here” icons. Clicking the fake icon opens the hidden file,
executing malware to give attackers access to the users’ machine –
this access can then be sold on to other cybercriminal groups and
ransomware gangs.
Sophisticated groups like Qakbot and IcedID first embedded
malware into OneNote files in January. With OneNote kits now
available on cybercrime marketplaces and requiring little technical
skill to use, their malware campaigns look set to continue over the
coming months.
“To protect against the latest threats, we advise that users and
businesses avoid downloading materials from untrusted sites,
particularly pirating sites. Employees should be wary of suspicious
internal documents and check with the sender before opening.
Organizations should also configure email gateway and security tool
policies to block OneNote files from unknown external sources,”
explains Patrick Schläpfer, Malware Analyst at the HP Wolf Security
threat research team, HP Inc.
From malicious archive files to HTML smuggling, the report also
shows cybercrime groups continue to diversify attack methods to
bypass email gateways, as threat actors move away from Office
formats. Key findings include:
- Archives were the most popular
malware delivery type (42%) for the fourth quarter running when
examining threats stopped by HP Wolf Security in Q1.
- There was a 37-percentage-point rise
in HTML smuggling threats in Q1 versus Q4.
- There was a 4-point rise in PDF
threats in Q1 versus Q4.
- There was a 6-point drop in Excel
malware (19% to 13%) in Q1 versus Q4, as the format has become more
difficult to run macros in.
- 14% of email threats identified by
HP Sure Click bypassed one or more email gateway scanner in Q1
2023.
- The top threat vector in Q1 was
email (80%) followed by browser downloads (13%).
“To protect against increasingly varied attacks, organizations
must follow zero trust principles to isolate and contain risky
activities such as opening email attachments, clicking on links, or
browser downloads. This greatly reduces the attack surface along
with the risk of a breach,” comments Dr. Ian Pratt, Global Head of
Security for Personal Systems, HP Inc.
HP Wolf Security runs risky tasks like opening email
attachments, downloading files and clicking links in isolated,
micro-virtual machines (micro-VMs) to protect users. It also
captures detailed traces of attempted infections. HP’s application
isolation technology mitigates threats that might slip past other
security tools and provides unique insights into novel intrusion
techniques and threat actor behavior.
About the data
This data was anonymously gathered within HP Wolf Security
customer virtual machines from January-March
2023.
About HP
HP Inc. (NYSE: HPQ) is a global technology leader and creator of
solutions that enable people to bring their ideas to life and
connect to the things that matter most. Operating in more than 170
countries, HP delivers a wide range of innovative and sustainable
devices, services and subscriptions for personal computing,
printing, 3D printing, hybrid work, gaming, and more. For more
information, please visit: http://www.hp.com.
About HP Wolf Security
HP Wolf Security is a new breed of endpoint security. HP’s
portfolio of hardware-enforced security and endpoint-focused
security services are designed to help organizations safeguard PCs,
printers, and people from circling cyber predators. HP Wolf
Security provides comprehensive endpoint protection and resiliency
that starts at the hardware level and extends across software and
services. Visit
https://www.hp.com/uk-en/security/endpoint-security-solutions.html.
Media Contact
Vanessa Godsal, HP Media Relations
vgodsal@hp.com
1 HP has specific insight into the latest cybercriminal
techniques because it analyses real world malware samples in
micro-virtual machines (micro-VMs), capturing detailed traces of
attempted infections.2 HP Security is now HP Wolf Security.
Security features vary by platform, please see product data sheet
for details.
HP (NYSE:HPQ)
Historical Stock Chart
From Jun 2024 to Jul 2024
HP (NYSE:HPQ)
Historical Stock Chart
From Jul 2023 to Jul 2024