If you’re a Google Chrome user, and suddenly your browser looks a bit off and shows you pages that you would never visit ordinarily, you’ve probably been hit with the Mutabaha Trojan.
According to Dr. Web researchers, the Trojan is downloaded on victims’ computers by a previously installed dropper. The dropper contacts a C&C server which instructs it to download and install Mutabaha, and then the dropper removes itself.
When running, the Trojan takes the form of Outfire, a special build of Google Chrome.
“During installation, it registers itself in the Windows system registry, launches several system services, and creates tasks in the Windows Task Manager in order to load and install its updates. In addition, Outfire modifies the installed Google Chrome browser by removing or creating new shortcuts and copying current Chrome user account information into the new browser,” the researchers explained.
This way, when you mean to open Chrome via the usual shortcut, you’re actually opening Outfire posing as Chrome.
“Once the installation is complete, the fake browser displays a home page which cannot be changed in the browser’s settings. In addition, it has a fixed extension designed to replace advertisements in browsed webpages and uses its own search engine, set by default—however, it can be changed in the application’s settings,” the researchers noted.
There are two interesting things about this Trojan: it searches for and removes other fake browsers that it finds on the target system, and it uses a recently documented technique to bypass Windows’ User Account Control (UAC).
More technical details about the threat can be found here.