14 DAY TRIAL // There's a modified Google Chrome clone going around the Internet that's being used by attackers to show users unwanted ads and redirect them to other malware infection points.
The browser in question is named eFast, and according to security researchers at PCRisk and Malwarebytes, it infects user PCs after being installed alongside other applications.
This PUP (Potentially Unwanted Application) is based on the Chromium open source browser, the very same code on which Google Chrome is also built.
The shared codebase allows the browser to easily pass as the real deal, and successfully fool users into thinking they're actually using Chrome.
During eFast's installation, the browser takes special care to remove any Google Chrome shortcuts, and replaces them with its own, using an icon specifically designed to look like Chrome's, but slightly different.
Furthermore, additional shortcuts for popular sites like YouTube, Amazon, Facebook, Wikipedia, and Hotmail are all placed on the desktop, all primed to open inside an eFast browser.
eFast hijacks file and URL associations on infected systems
Malwarebytes has also observed the browser alters OS settings, eFast changing default file associations and URL types, so whenever the user clicked any HTML, GIF, or JPEG document inside their operating system, eFast would be used instead of the previously set application.
At the moment of writing this article, researchers have detected eFast placing itself as the default application for the following file types: HTM, HTML, SHTML, XHTML, XHT, WEBP, PNG, JPG, JPEG, GIF, and PDF.
Additionally, URLs with the following protocols were also opened by default in eFast: HTTP, HTTPS, FTP, IRC, MAILTO, MMS, SMS, SMSTO, TEL, NEWS, NNTP, URN, and WEBCAL.
eFast is being used to deliver adware and ads to users
Once the user was convinced (tricked) to use eFast, the browser's malware code injects ads inside their normal Web pages, and even redirect them to sites where other malware is being served.
Besides this, during the eFast installation, the predm.exe file was also placed inside the user's Program Files folder, file that is currently detected as infected by 44 antivirus engines on VirusTotal.
Both PCRisk and Malwarebytes provide instructions on how to remove eFast from infected computers.
