New strain of malware attempts to entirely replace browser

Online security researchers at PCRisk have reported a new form of malware that imitates local installations of the Google Chrome browser to steal personal information, install more malware and displaying pop-up ads for other malicious websites.

The “eFast Browser” is based on Google's Chromium open-source browser, allowing it to maintain the look and feel of Google Chrome while disguising its malicious effects.

According to MalwareBytes, in order to be as comprehensive as possible in its attacks, the eFast Browser makes itself the default browser, taking over several system file associations, including HTML, JPG, PDF, and GIF. 

It hijacks URL associations such as HTTP, HTTPS, and Mailto, and replaces existing Chrome desktop website shortcuts with its own versions.

While in use the malware will display pop-ups and search ads on top of the page you're visiting. Some of these ads lead to ecommerce sites, while others redirect to potentially malicious web pages, where there's a risk of installing more adware or malware. According to PCRisk, the browser also collects browsing information that could be personally identifiable. It is currently not known if there is a Privacy Policy currently in place to protect users.

Another point for concern is that installing this vicious malware drops a file called predm.exe in a folder called ‘Program Filesefas_en_110010107'. Upon inspection the file shows that it is misdated by a week earlier than the actual date of install and that the file description is “AA setup”. As it turns out this is another variant of malware Eorezo/Tuto4PC, according to these scan results at Virustotal.

How does the eFast Browser install itself? It sneaks itself into software installers, also known as Software Bundles. Ironically, the browser does clearly identify itself when visiting the "about" page from the settings menu. PCRisk has supplied a detailed removal instruction page.

Security expert SwiftOnSecurity noted the lengths Google Chrome goes to to secure users against in-browser malware, that attackers are now trying to overwrite the program completely. With Windows being the prime target in this attack, users are advised to be extra careful when using software installers from untrusted sources, the most common mistake being clicking the ‘next' button quickly while installing a program and not carefully reading what each page of the installer says.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.