Shampoo malware extension ‘hard to wash out’, says HP

7 Jul 2023

Image: © gargantiopa/

Dodgy chrome extensions, harmful emails and OneNote trickery are just a few of the major trends in the cyberthreat landscape, according to HP’s new report.

Cybercriminals are hijacking Chrome browsers and installing malicious extensions, according to the newest HP Wolf Security Threat Insights report.

The quarterly cyberthreat report reveals that threat actors have been targeting users through websites hosting pirated films and video games, where they have distributed malware called ChromeLoader that tricks users into installing a harmful extension called Shampoo.

When users try to download these pirated films and video games, they instead download a script which leads to the installation of the malicious extension on their browser.

“This extension captures browsing data alongside search history and can even redirect the victim’s search queries to any website they want,” according to Patrick Schläpfer, a malware analyst at HP Wolf Security.

“This means threat actors can send users to malicious websites, or simply to websites that will help fund ad campaigns for their cybercriminal organisation.”

“But,” adds Schläpfer, “the Shampoo extension is hard to wash out.” The report describes the malware as difficult to remove as it “relies on looping scripts and a Windows scheduled task to reinstall the extension whenever the victim removes it or reboots their device”.

And according to Schläpfer, if a user attempts to remove the scheduled task from the task manager, they risk “unintentionally deleting a legitimate task that could impact their machine”.

But how do you know if your browser is infected with the extension?

Schläpfer says that users will definitely be able to tell that they are compromised, as their web searches will direct them to other sites, search suggestions may no longer appear on the browser address bar and the search engine result can be from a completely different browser provider.

Infected emails from trusted accounts

Back in March, HP reported that Microsoft had begun blocking macros in Office files by default since February, which at the time was deemed successful in blocking malicious code.

However, this most recent report has indicated that threat actors have developed new techniques to bypass these macro policies. One such incident occurred where they compromised a trusted Office 365 account, logged into a company email and then distributed an Excel file that infects victims with the ‘Formbook infostealer’. Formbook, according to the report, is an “information stealer sold on hacking forums capable of recording keystrokes and stealing sensitive information”.

The incident has highlighted the dangers of automatically trusting files in emails, even if they come from within your organisation.

“Blindly trusting files because they came from within the organisation is a recipe for disaster,” said Schläpfer. “If just one corporate account is compromised, attackers can use this to move laterally across the corporate environment, escalate privileges and bypass detection measures.”

“Employees should be wary of suspicious internal documents and check with the sender before opening. Alternatively, extending the principle of least privilege to files received by endpoints – a zero-trust approach – would have protected users from the secondary infection.”

OneNote malware

According to the report, cyberattackers have started spreading malware using Microsoft OneNote by abusing the software’s ability to embed content. Attackers have been attempting to spread malware by implementing images that look like program prompts and UI elements to trick users into running malicious code.

HP notes that OneNote will likely continue to be a popular destination for spreading malware as “attackers can run malicious code without relying on macros”, adding that enterprises and individuals “should check and implement defences to block this infection vector”.

Other notable trends

Alongside the major threats, the HP Wolf Security Threat Insights report listed some notable trends in the cyber landscape, including the continued diversification of malware delivery file types and techniques, which has been an ongoing trend since Q1 2022.

The report states that over the last three months, cyberattackers have alternated their delivery method and techniques frequently, as well as using formats such as PDF and HTML instead of Office formats like Excel and Word. Q1 of this year saw a 37pc rise in HTML threats compared to the previous quarter, while spreadsheet malware dropped from 19pc to 13pc.

Email has remained the top vector delivering threats to endpoints, accounting for 80pc of threats, which is an increase of 3pc from Q4 2022. Browser downloads came in second at 13pc.

Schläpfer stressed the importance of implementing a zero-trust policy to counteract these malicious campaigns. “By following the zero-trust principle of fine-grained isolation, organisations can use micro-virtualisation to make sure potentially malicious tasks – like clicking on links or opening malicious attachments – are executed in a disposable virtual machine separated from the underlying systems.

“This process is completely invisible to the user, and traps any malware hidden within, making sure attackers have no access to sensitive data and preventing them from gaining access and moving laterally.”

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.

Colin Ryan is a copywriter/copyeditor at Silicon Republic