If you’re involved in cybersecurity defense and not aware of Charcoal Stork, it’s time to learn about it. According to recent Red Canary’s “2024 Threat Detection Report” Charcoal Stork, a suspected pay-per-install (PPI) content provider, has made its debut into the “Top-10” threats in 2023 claiming the top spot. It’s believed that Charcoal Stork uses malvertising and SEO optimizations to gain trust and bait the victims into going to sites serving its malicious files usually disguised as wallpapers, online gaming or livestreaming applications.
Charcoal Stork Deployed as a Browser Extension and Difficult to Detect as Malicious
The majority of Charcoal Stork payloads typically involve a browser extension that redirects search engine queries to a designated domain. However, certain payloads, such as ChromeLoader, contain all the necessary components for backdoor access and code execution. Because Charcoal Stork and ChromeLoader are so tightly tied together many research teams track them together as “Chrome Loader Family”.
A Charcoal Stork installer can be used numerous times to distribute the same payload to various victims, often under different filenames based on the victim’s search queries. This method involves several unique installers, each delivering a range of payloads, increasing its difficulty of detection.
ChromeLoader can appear as a pretty innocent browser extension but in fact it is designed to steal your search queries and to send traffic to an advertising site. ChromeLoader stands out from other malvertising campaigns by injecting itself into the browser and adding a malicious extension using PowerShell. This technique is not commonly employed, making it difficult to detect with many security tools.
Seraphic’s Unique Approach to Preventing Charcoal Stork and other Browser Attacks
Charcoal Stork is representative of the growing use of malware that targets browsers by attackers. This should not be terribly surprising, as the Browser is generally the only asset on endpoints that can run untrusted code.
Seraphic’s approach to securing web browsers addresses Charcoal Stork and other malicious players like it, and it does so totally transparently to end-users. It does this by:
- Preventing (any) malicious JavaScript from running, immunizing against commonly exploited memory corruption bugs, using Moving Target Defense (MTD).
- Blocking “HTML Smuggling” attacks which automatically download malicious files without user consent.
- Automating extension management policies to prevent extension’s side loading or the installation of extensions that originate in untrusted origin or hold high-risk scores, as well as automatically removing any known malicious extensions.