Fake Google Chrome Installer Pushes Shady Bank Sites

Google Chrome is a popular browser that’s currently utilized by millions of people worldwide, but users should be careful because not all “ChromeSetup.exe” files are genuine.

Security researchers from Trend Micro have found that the cybercriminals that serve fake Chrome installer files use a clever technique to make everything look as legitimate as possible.

The unsuspecting user is presented with a download link that apparently points to URLs such as:
- br.msn.com/ChromeSetup.exe;
- facebook.com.br/ChromeSetup.exe;
- google.com.br/ChromeSetup.exe;
- terra.com.br/ChromeSetup.exe.

While it may seem that the installer is hosted on legitimate domains, in reality the downloads are redirected to different IPs than the ones of MSN, Facebook, Google, or Terra. Experts have noticed that most of the users who access the links are from Brazil and Peru.

Further analysis of this threat has revealed that the “ChromeSetup.exe” file is actually a piece of malware identified as TSPY_BANKER.EUIQ.

Once it finds itself on a system, the malicious element starts sending information gathered from the device to its command and control server.

TSPY_BANKER.EUIQ also downloads a configuration file and the fun begins. From this point on, each time the victim tries to access a bank website, the malware will step in and redirect the session to a phony bank site.

First, a pop-up notifies the users that security software is being loaded, after which, Internet Explorer is opened and the fake website is loaded.

Furthermore, since some banks offer legitimate fraud protection software to their customers, such as the GbPlugin from a Brazilian bank, the malware authors have integrated a component called TROJ_KILSRV.EUIQ which uninstalls such applications.

Experts believe that this particular malware is still in development, and they don’t rule out the possibility of improved versions being launched in the future.

The most interesting thing about the Banker is the fact that it somehow manages to redirect users from Facebook and Google to the IPs controlled by the cybercriminals. Trend Micro hasn't figured out how they can pull this off.

Fortunately for internauts, modern-day security solutions possess the ability to identify threats simply by analyzing their actions, which is why we must highlight again the importance of an antivirus application. Make sure you have one and keep it updated at all times.