ChromeLoader Malware Detection

 1title: ChromeLoader Malware Detection
 2description: Detects execution of ChromeLoader malware via a registered scheduled task
 3status: experimental
 4date: 2022/01/10
 5author: \@kostastsale
 6references:
 7    - https://github.com/xephora/Threat-Remediation-Scripts/tree/main/Threat-Track/CS_INSTALLER
 8    - https://twitter.com/th3_protoCOL/status/1480621526764322817
 9    - https://twitter.com/Kostastsale/status/1480716528421011458
10    - https://www.virustotal.com/gui/file/ded20df574b843aaa3c8e977c2040e1498ae17c12924a19868df5b12dee6dfdd
11logsource:
12    category: process_creation
13    product: windows
14detection:
15    selection1:
16        ParentCommandLine|contains:
17            - '-ExecutionPolicy Bypass -WindowStyle Hidden -E JAB'
18        ParentImage|endswith:
19            - '*\powershell.exe'
20    selection2:
21        CommandLine|contains:
22            - '--load-extension="*\Appdata\local\chrome"'
23        Image|endswith:
24            - '*\chrome.exe'
25    condition: selection1 and selection2
26falsepositives:
27    - Unlikely
28level: high
29tags:
30    - attack.execution
31    - attack.T1059.001
32    - attack.persistence
33    - attack.T1176
34    - attack.T1053.005

References

• Threat-Remediation-Scripts/Threat-Track/CS_INSTALLER at main · xephora/Threat-Remediation-Scripts

  

  This repository contains a list of new remediation scripts. - xephora/Threat-Remediation-Scripts

  
  Read More

• Something went wrong, but don’t fret — let’s give it another shot.

  
  Read More

• Something went wrong, but don’t fret — let’s give it another shot.

  
  Read More

• VirusTotal

  VirusTotal

  
  Read More

Related rules

• Emotet loader execution via .lnk file