Security experts from Malwarebytes have analyzed a new strain of malware that attempts to delete Chrome and replace it with a bogus version that allows attackers to hijack several file associations including HTML, JPG, PDF, and GIF, as well as URLs associations including HTTP, HTTPS, and MAILTO.
“In this episode we take a look at a hijacker that installs a new browser rather than hijacking an existing one. It even attempts to replace Chrome if that is already installed. To make sure that you will use your new browser, eFast makes itself the default browser and takes over some file-associations. ” states the blog post published by Malwarebytes.
The eFast Browser is based on Google’s Chromium open-source software, its appearance is not different from the legitimate Google Chrome, in this way it doesn’t raise suspicion in the victims.
The new malware belongs to the family of Adware, it is dubbed “eFast Browser” and it si able to do the following actions:
The eFast Browser is different from peers because it replacing the browser with a malicious copy of Chrome instead of taking control over it.
The eFast Browser installer remove all the shortcuts to the legitimate Google Chrome on the victims taskbar and desktop. It replaces any Chrome desktop website shortcuts with its own versions,
“The installer for eFast also deletes all the shortcuts to Google Chrome on your taskbar and desktop,” wrote Malwarebytes, “most likely hoping to confuse the user with their very similar icons.”
The malicious eFast Browser is developed by a company that calls itself Clara Labs, which is the author of similar browsers known as BoBrowser, Unico, and Tortuga.
Victims usually download the eFast Browser by launching software installers from untrusted sources on the Internet.
The experts also noticed that the eFast Browser drops a file called predm.exe in the folder %Program Files%\efas_en_110010107. Curiously the properties of the executable reveal that it is misdated by a week earlier than the installation date and that the “File description” is “AA setup”. Scanning the files with VirusTotal it is possible to verify that it is a strain of the Eorezo/Tuto4PC malware.
As it turns out this is another Eorezo/Tuto4PC variant according to these scanresults at Virustotal.
If you have been infected follow the removal procedure published by PCRisk.
(Security Affairs – eFast Browser, malware)