According to a quarterly threat insights report by HP Wolf Security, March of this year saw the hatching of a particularly nefarious plot to infect Google Chrome users with a third-party Chrome extension bizarrely named “Shampoo.”
Don’t worry though, the primary targets of this malware infestation are people who like to illegally stream or download movies and games online. So you’re probably fine, and there’s no need to concern yourself with such a problem.
... Yes, I’ll tell you how HP Wolf Security suggest to remove it later in the article.
Chrome Shampoo extension malware: What does it do?
“Shampoo” is a variant of the browser hijacking ChromeLoader malware and an illegitimate Chrome extension that can’t be found on the Chrome Web Store. Instead, the software infects browsers by tricking users into running malicious code, triggering a series of further scripts to download the extension in the background. Once downloaded, the extension will load itself into a browser session and set up a number of failsafes to prevent its removal.
Once “Shampoo” is fully set up, your Chrome browser now becomes a de facto mining rig for its operators as the extension redirects search queries and injects adverts into the session – earning them money from the interactions in the process.
Chrome Shampoo extension malware: Am I infected?
This particular piece of malware isn’t all that bothered about keeping a low profile, so finding out if you are currently infected is relatively straightforward.
Open your Chrome browser and click the puzzle piece icon next to the address bar. Once the Chrome extension menu bar opens, you can quickly give it a scan to see if you’re one of those affected.
Don’t see “Shampoo” in the list? Congratulations! You’re either an upstanding member of the internet community, or a very astute pirate – either way, keep it up! (Being very astute, that is. Piracy is bad, you wouldn’t steal a car, would you?)
If you do find the “Shampoo” extension in this list, well don’t you worry either. Click the three dots next to the extension and choose “Remove from Chrome.” As you’ll see, the malware-infused extension has now vanished, leaving you free from its interference. At least, that would be the case if it wasn’t for all of those failsafes it set up on install.
What you’re likely to notice, is that in a short amount of time the infected extension will return and get to business as usual. You didn’t really think it would be that easy did you?
Chrome Shampoo extension malware: How to remove it
Getting completely rid of the “Shampoo” extension requires a certain level of haste and familiarity with a number of vital Windows systems. You’ll need to act fast within a short window of opportunity and disable a number of persistence mechanisms before the malicious code loops and reinstalls the malware onto your machine.
According to HP Wolf Security, you’ll need to complete the following tasks (preferably after restarting your machine to temporarily disable the looping background script and buy yourself more time):
- Remove the “Shampoo” Chrome extension as we covered in the previous section.
- Disable any scheduled tasks in the Windows Task Scheduler prefixed with “chrome_”. Legitimate Chrome scheduled tasks are normally prefixed with “Google” so don’t worry about disabling anything essential.
- Delete the following registry key: “HKCU:\Software\Mirage Utilities\”.
- Remove any folders prefixed with “Chrome_” from the following directory: “C:\Users\[Your Username]\AppData\Local”.
- Optional: It’s also generally recommended to perform a reset of your Chrome browser to its default settings after any infection. To do this, head to chrome://settings/reset in your Chrome browser and restore all settings to their original defaults.
A final piece of advice would be to install and perform a full scan with a reputable piece of anti malware software – such as Avast, MalwareBytes or Bitdefender.
Outlook
“Shampoo” might not be the first Chrome extension malware we’ve encountered, but it is the only other time outside of when people started pronouncing SOPA as a word that I’ve seen the idea of bathing and piracy brought so close together.
It’s always best to avoid sites of ill repute if you’re not protected by some sturdy antivirus software or too savvy with understanding what you might be downloading. Hopefully, if you’ve fallen victim to this campaign the information in this article will have helped you pry this pesky barnacle away from the hull of your favorite browser – and fingers crossed that should be the last of it.
Now go on, be off with you, you pirate rascal.
