ChromeLoader, Malicious “Innovation Systems” Task, and RDP Abuse

ChromeLoader is a browser extension that hijacks user search queries and sends traffic to an advertising site and operates similar to other suspicious browser extensions (1). Unlike other malware variants, ChromeLoader injects itself into the browser and adds a malicious extension. By doing so, it is able to collect browser data, which could include browser stored passwords.

Threat actors using ChromeLoader have been previously observed gaining initial access via:

• Social engineering tactics,
• QR codes posted on social media sites, and
• Malicious advertisements (“malvertising”).

The APG predicts that threat actors will likely continue to use ChromeLoader over the next 12 months in an attempt to monitor browsing habits, collect sensitive data (such as credentials), and redirect traffic to malicious sources.

This assessment is based on Blackpoint Active SOC observed attacks, which include multiple incidents reported in last week’s Active SOC incident analysis alone (2), as well as additional external reporting detailing ChromeLoader incidents.

• 2023:
  • AhnLab researchers observed ChromeLoader campaigns targeting gamers by masquerading as hacks or cracks for Nintendo and Steam games (3).
  • HP and Wolf Security released a threat insight report detailing how a Google Chrome extension that could redirect victim’s search queries to malicious websites (4).
• 2022: Blackberry researchers observed ChromeLoader deployments relying on JavaScript, rather than PowerShell, with delivery via phishing emails with malicious ISO file attachments. (5).

Blackpoint’s APG recommends the following actions to help mitigate ChromeLoader malware infections. Note: many of the mitigations for ChromeLoader are the same as mitigations for other malicious activity.

• Monitor system activity through heuristics-based triggers and alerts, which can help identify anomalous scheduled tasks and user activity.
• Minimize the use of – or implement strict controls on – the use of scripting languages, as threat actors often rely on scripting languages to deploy malware and conduct malicious activities.
• Implement the practice of least privilege, to ensure that users without elevated privileges are unable to create or modify Registry Run Keys and run malicious files.
• Implement browser extension allowlists, which can prevent the installation of unauthorized or malicious browser extensions.

Scheduled tasks are tasks that run in the background of a user’s endpoint and are scheduled to occur at specific intervals or triggers. Task triggers can include:

• A certain date and time;
• After a specific action occurs, such as a user logs in or system reboots; and
• On specific intervals, such as every 30 seconds.

Organizations’ authorized system adminitrators, IT professionals, and developers often use scheduled tasks to complete necessary actions and automate activities across their environments to save time and make recurring or manual tasks more manageable.

However, threat actors abuse the scheduled task feature of different operating systems to ensure persistence of malicious actions, such as executing malware each time the system is turned on (6).

And, in addition to writing their own original scheduled tasks, threat actors can take advantage of already present scheduled tasks to further obfuscate their activities, blending into normal traffic on a compromised network as part of a broader “living off the land” (LotL) strategy(7).

The APG predicts that threat actors will very likely continue to abuse scheduled tasks for persistence over the next 12 months.

This assessment is based on internal Blackpoint observed attack trends within partner managed environments across all industries, as well as external reporting related to the abuse of scheduled tasks for malicious purposes. Most notably:

• As of May 2024, at least 20 ransomware operators tracked by Blackpoint’s APG have been observed abusing scheduled tasks for execution and persistence as part of a wide range of cyberattacks.
• In January 2024, Purple Team security researchers reported that the Silk Typhoon (AKA HAFNIUM) APT group used scheduled tasks during their malicious campaigns to gain persistence on compromised networks (9). Of particular note, Silk Typhoon attackers specifically modified Registry Keys in their malware to create scheduled tasks.
• As far back as 2022, Red Canary researchers reported that scheduled task abuse was the seventh most prevalent technique used by threat actors that year(8).

Blackpoint’s APG recommends the following actions to help mitigate the abuse of scheduled tasks for persistence and execution.

• Monitor system activity through heuristics-based triggers and alerts, which can help identify anomalous scheduled tasks and user activity.
• Implement the practice of least privilege, to ensure that regular users do not have the ability to create or modify scheduled tasks.
• Ensure the operating system is configured to prevent scheduled tasks from running as SYSTEM, and instead forces them to run under the context of an authenticated account.
• Regularly audit both the environment and endpoints to establish what a “normal” baseline looks like, as well as to quickly identify anomalous scheduled tasks that are indicative of malicious activity.

Remote Desktop Protocol (RDP) is a protocol that allows users to use a desktop remotely. Threat actor can, and often do, use RDP to gain initial access and move laterally through compromised networks. RDP is often used for two legitimate purposes:

1. Remote Desktop Access: Users can remotely access physical desktop computers from another device.
2. Remote administration: Users can perform remote administrative work by accessing the device.

Threat actors target RDPs in infected environments, abusing it in a variety of ways (10):

• Hijacking RDP sessions
• Abusing accessibility features, such as Sticky Keys
• Brute force attacks
• Deploying malware specifically designed to target and twist RDP functionality
• Protocol tunneling

The APG predicts that threat actors will very likely continue to abuse Remote Desktop Protocol (RDP) over the next 12 months.

This assessment is based on internal Blackpoint observed attacks within managed environments, as well as external reporting highlighting threat actors’ abuse of RDP for lateral movement in particular.

• As of May 2024, Blackpoint’s APG has tracked at least 31 ransomware operations that have previously abused RDP for malicious actions, most often lateral movement.
• In a report released April 2024, Sophos security researchers released incident analysis of incidents from 2023, and reported that RDP abuse was featured in 90% of their reviewed cases analyzed (11).
• In 2021, CrowdStrike researchers released attack details related to FIN7 (aka Carbon Spider, Sangria Tempest, Gold Niagara, ITG14, ELBRUS), a financially motivated threat group. The researchers reported that the group previously used RDP to move laterally through observed compromised networks (13).
• In 2020, Bitdefender researchers reported that the Iranian-linked threat group Chafer (aka APT39, Remix Kitten, ITG07) had been observed abusing RDP services for lateral movement and persistence in compromised networks (12).

Blackpoint’s APG recommends the following actions to help mitigate the malicious use of RDP for lateral movement and persistence.

• Ensure employees are using MFA and VPNs to access sensitive data and resources, which will provide an additional level of credential authentication when using services like RDP to access devices.
• Segment managed environments and networks to ensure critical systems are isolated from less secure areas and prevent unauthorized communication restrictions between segments. This segmentation helps prevent threat actors from using allowlisted services like RDP to move laterally within the network.
• Implement account lockout policies to aid in prevention of brute force attacks on RDP and other critical services and software.
• Monitor system activity through heuristics-based triggers and alerts, which can aid in detecting anomalous logins and behavior when threat actors abuse services like RDP.

1. Logpoint’s Blog: “Emerging Threats: ChromeLoader: A rise in malvertisers” by Nilaa Maharjan on 2022-07-20
2. Blackpoint Cyber’s Blog: “ChromeLoader, Telegram, RustDesk, and Tailscale” by Blackpoint Cyber on 2024-05-24
3. ASEC’s Blog: “ChromeLoader Disguised as Illegal Game Programs Being Distributed” by gygy0101 on 2023-02-23
4. HP’s Blog: “ChromeLoader malware campaign punishes pirating users” by HP on 2023-06-14
5. BlackBerry’s Blog: “ChromeLoader Infects the Browser by Loading Malicious Extension” by The BlackBerry Research & Intelligence Team on 2022-11-03
6. MITRE’s Repository: “Scheduled Task/Job: Scheduled Task” by MITRE on 2023-11-15
7. Center for Internet Security (CIS)’s Blog: “Abusing Scheduled Tasks with Living off the Land Attacks” by Valecia Stocchetti on N/A
8. Red Canary’s Blog: “Scheduled Task” by Red Canary on 2024-03-12
9. Purple Team’s Blog: “Scheduled Task Tampering” by Adminstrator on 2024-01-03
10. Blackpoint Cyber’s Blog: “How RDP Attacks Go Down” by Blackpoint Cyber on 2022-05-31
11. Sophos’s Blog: “It’s Oh So Quiet (?): The Sophos Active Adversary Report for 1H 2024” by John Shier; Angela Gunn on 2024-04-03
12. Bitdefender’s Blog: “Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia” by Liviu Arsene on 2020-05-21
13. CrowdStrike’s Blog: “CARBON SPIDER Embraces Big Game Hunting, Part 1” by Eric Loui; Josh Reynolds on 2021-08-30