Malware Masquerades as Chrome

Thursday, October 22, 2015 @ 02:10 PM gHale

Browser beware: There is a modified Google Chrome clone going around that attackers use to show users unwanted ads and redirect them to other malware infection points.

This faux browser is eFast and it infects user PCs after it ends up installed alongside other applications, said researchers at PCRisk and Malwarebytes.

Exploit Kit Evades Detection ‘On Fly’
Adobe Zero Day Under Attack
Trojan Targets XP Users
New Trojan Resides in Registry

This potentially unwanted application ends up based on the Chromium open source browser, the same code on which Google built Chrome.

The shared codebase allows the browser to easily pass as the real thing, and trick users into thinking they are using Chrome.

During eFast’s installation, the browser takes special care to remove any Google Chrome shortcuts, and replaces them with its own, using an icon specifically designed to look like Chrome’s.

Additional shortcuts for popular sites like YouTube, Amazon, Facebook, Wikipedia, and Hotmail are all on the desktop, all primed to open inside an eFast browser.

Malwarebytes also found the browser can change operating system settings, eFast changing default file associations and URL types, so whenever the user clicked any HTML, GIF, or JPEG document inside their operating system, eFast would end up used instead of the previously set application.

To date, researchers have detected eFast placing itself as the default application for the following file types: HTM, HTML, SHTML, XHTML, XHT, WEBP, PNG, JPG, JPEG, GIF, and PDF.

Additionally, URLs with the following protocols also opened by default in eFast: HTTP, HTTPS, FTP, IRC, MAILTO, MMS, SMS, SMSTO, TEL, NEWS, NNTP, URN, and WEBCAL.