If you’re involved in cybersecurity defense and not aware of Charcoal Stork, it’s time to learn about it. According to Red Canary’s 2024 Threat Detection Report, Charcoal Stork, a suspected pay-per-install (PPI) content provider, has made its debut into the “Top 10” threats in 2023, claiming the top spot. It’s believed that Charcoal Stork uses malvertising and SEO optimizations to gain trust and bait the victims into going to sites serving its malicious files, usually disguised as wallpapers, online gaming, or livestreaming applications.
Charcoal Stork Deployed as a Browser Extension
The majority of Charcoal Stork payloads typically involve a browser extension that redirects search engine queries to a designated domain. However, certain payloads, such as ChromeLoader, contain all the necessary components for backdoor access and code execution. Because Charcoal Stork and ChromeLoader are so tightly tied together, many research teams track them together as “Chrome Loader Family”.
A Charcoal Stork installer can be used numerous times to distribute the same payload to various victims, often under different filenames based on the victim’s search queries. This method involves several unique installers, each delivering a range of payloads, increasing its difficulty of detection.
ChromeLoader can appear as a pretty innocent browser extension, but in fact it is designed to steal your search queries and send traffic to an advertising site. ChromeLoader stands out from other malvertising campaigns by injecting itself into the browser and adding a malicious extension using PowerShell. This technique is not commonly employed, making it difficult to detect with many security tools.
Why Traditional Defenses Fail Against Charcoal Stork
Charcoal Stork is just one example of a new generation of browser-based threats that can go undetected by traditional security measures. Legacy antivirus solutions and endpoint detection and response (EDR) tools are primarily focused on file-based malware and known network indicators. This can leave gaps when it comes to browser-native attacks. Charcoal Stork uses techniques like HTML smuggling, malvertising, and rogue browser extensions, which are threat vectors that rarely leave detectable traces.
Campaigns like Charcoal Stork also exploit legitimate networks and services, making them difficult to distinguish from regular web traffic. Standard web proxies and security gateways typically lack visibility into obfuscated scripts running within the browser context. As a result, it’s often too late by the time a threat is detected. This is exactly why enterprises must have browser-native security solutions capable of identifying and blocking threats in real time, without relying only on signatures.
Seraphic’s Unique Approach to Preventing Charcoal Stork and Other Browser Attacks
Charcoal Stork is representative of the growing use of malware that targets browsers by attackers. This should not be terribly surprising, as the Browser is generally the only asset on endpoints that can run untrusted code. Seraphic’s approach to securing web browsers addresses Charcoal Stork and other malicious players like it, and it does so totally transparently to end-users. It does this by:
- Preventing (any) malicious JavaScript from running, immunizing against commonly exploited memory corruption bugs, and using Moving Target Defense (MTD).
- Blocking “HTML Smuggling” attacks, which automatically download malicious files without user consent.
- Automating extension management policies to prevent extensions from side-loading or the installation of extensions that originate from an untrusted origin or hold high-risk scores, as well as automatically removing any known malicious extensions.
In Conclusion
As browser-based threats like Charcoal Stork continue to evolve, organizations must adopt proactive and adaptive security measures. Traditional defenses often fall short against sophisticated malvertising campaigns and stealthy browser hijackers. Education is also key; take the time to train your employees about the risks of clicking on unfamiliar links or installing add-ons to their browsers.
Seraphic’s innovative approach—leveraging Moving Target Defense, blocking HTML smuggling, and enforcing strict extension policies—offers robust safe browsing protection without disrupting user experience. By focusing on securing the browser, the primary interface between users and the internet, Seraphic empowers enterprises to stay ahead of emerging threats.
To learn how Seraphic can fortify your organization’s browser security, request a demo today.
About the Author
