New strain of malware attempts to entirely replace browser
Online security researchers at PCRisk have reported a new form of malware that imitates local installations of the Google Chrome browser to steal personal information, install more malware and displaying pop-up ads for other malicious websites.
The “eFast Browser” is based on Google's Chromium open-source browser, allowing it to maintain the look and feel of Google Chrome while disguising its malicious effects.
According to MalwareBytes, in order to be as comprehensive as possible in its attacks, the eFast Browser makes itself the default browser, taking over several system file associations, including HTML, JPG, PDF, and GIF.
It hijacks URL associations such as HTTP, HTTPS, and Mailto, and replaces existing Chrome desktop website shortcuts with its own versions.
Another point for concern is that installing this vicious malware drops a file called predm.exe in a folder called ‘Program Files\efas_en_110010107'. Upon inspection the file shows that it is misdated by a week earlier than the actual date of install and that the file description is “AA setup”. As it turns out this is another variant of malware Eorezo/Tuto4PC, according to these scan results at Virustotal.
How does the eFast Browser install itself? It sneaks itself into software installers, also known as Software Bundles. Ironically, the browser does clearly identify itself when visiting the "about" page from the settings menu. PCRisk has supplied a detailed removal instruction page.
Security expert SwiftOnSecurity noted the lengths Google Chrome goes to to secure users against in-browser malware, that attackers are now trying to overwrite the program completely. With Windows being the prime target in this attack, users are advised to be extra careful when using software installers from untrusted sources, the most common mistake being clicking the ‘next' button quickly while installing a program and not carefully reading what each page of the installer says.