Fake Chrome browser used to show ads to infected users

Aug 30, 2016 13:40 GMT  ·  By

A new trojan identified as Trojan.Mutabaha.1 uses a recently disclosed UAC bypass technique to install a heavily modified Outfire browser that replaces the user's native Google Chrome browser.

Outfire, which is a Chromium-based browser, looks very much like Chrome, with minimal changes to its setup. As such, the browser makes a fine choice for tricking the user into thinking they're using Chrome, when they're not.

Mutabaha was created between August 15 and 18

The Mutabaha trojan is one of the latest additions to the malware market. At this moment, researchers don't know how crooks are distributing the trojan to victims, but they found out how it infects their computers.

Russian security vendor Dr.Web says the trojan uses a UAC bypass technique to execute a series of files and commands on infected PCs without triggering the Windows UAC (User Account Control) alert.

The technique was only recently disclosed by two security researchers on August 15, two weeks ago. Their UAC bypass technique, which we explained in a previous article, uses the Windows Event Viewer built-in utility to skirt UAC protections.

Dr.Web says that Mutabaha appeared just three days after researchers published their UAC bypass method. When users run the trojan, it uses a system registry key to launch a program with elevated privileges that downloads and installs a malware dropper and a BAT file.

Crooks replace default Chrome with new browser called Outfire

This malware dropper downloads the Outfire browser and installs it automatically. After the installation ends, the BAT (Windows Batch) file deletes the malware dropper.

During installation, Outfire adds itself to the Windows Registry to gain boot persistence, removes Google Chrome shortcuts from the system, and imports Chrome settings into its own.

At the end of the installation, Outfire uses a list of 56 names for known browsers and kills all their Windows processes.

The modified Outfire version features a non-changeable homepage, a fixed extension that inserts ads on all visited web pages, and a custom search engine instead of Google.

Outfire browser homepage
Outfire browser homepage

Photo Gallery (2 Images)

Outfire browser settins
Outfire browser homepage
Open gallery