ChromeLoader adware halted from broadcasting by Jamf Protect

The Jamf Threat Labs team recently updated the threat prevention rules in Jamf Protect to prevent the browser hijacking campaign that inject ads into Chrome and Safari browsers on macOS. Red Canary also published similar findings on the adware.

June 9 2022 by

Jamf Threat Labs

Threat: ChromeLoader

Affects: CrowdStrike researchers tracked an adware campaign that injects ads into Chrome and Safari browsers on macOS. Victims are tricked into opening a DMG file and running a shell script which masquerades as a legitimate installer application. The shell script modifiers browser settings that allow ads to display.

The Chrome version of the install script loads a malicious Chrome extension to monitor browser activity.

The campaign leverages a combination of AppleScript and Python to infect devices.

Prevented by: Jamf Protect tracks this adware campaign and threat prevention rules block its execution as of March 22, 2022.

IoCs (as published by CrowdStrike):

Malicious URLs (as published by CrowdStrike):

Online ads bombarding your Mac? Don’t let questionable ads get in the way of productivity.

Contact Jamf, or your preferred reseller to roll out Jamf Protect and get your macOS fleet secured against security threats today.

Subscribe to the Jamf Blog

Have market trends, Apple updates and Jamf news delivered directly to your inbox.

To learn more about how we collect, use, disclose, transfer, and store your information, please visit our Privacy Policy.