Serious Discussion Chromstera browser and malicious extensions

nicolaasjan

nicolaasjan

Level 3
Thread author
May 29, 2023
142
Lately i see a lot of posts on Reddit about infections with a browser hijacker that comes along with Chromstera (probably installed as a PUP via a game mod).
The extensions have random Latin plant or animal names and cannot be removed normally due to a policy in the registry.

I have regularly pointed these victims to the Windows Malware Removal Help & Support section here.

They often say that Malwarebytes cannot remove it.
Why is that?
It exists for quite some time now.
 
  • Like
Reactions: Nevi, vtqhtr413, TairikuOkami and 3 others
Ink

Ink

Administrator
Verified
Staff Member
Well-known
Jan 8, 2011
22,361
nicolaasjan said:
They often say that Malwarebytes cannot remove it.
Why is that?
It exists for quite some time now.
Click to expand...

Quote from Bot:
The reason why Malwarebytes and other security programs may struggle to remove the browser hijacker associated with Chromstera is that these malicious extensions are designed to be persistent and difficult to uninstall. They often employ sophisticated techniques to evade detection and removal by security software.

Some common techniques used by these malicious extensions include modifying the Windows registry to enforce policies that prevent their removal, injecting code into legitimate processes to maintain persistence, and using obfuscation techniques to hide their presence from security scanners.

Additionally, these browser hijackers often have rootkit-like capabilities, allowing them to hide deep within the system and make it more challenging for security programs to locate and eliminate them.

To effectively remove such persistent and stubborn threats, it is advisable to seek expert assistance from dedicated malware removal forums or professional cybersecurity services. These resources have experienced volunteers or specialists who can provide customized guidance and tools to help rid your system of these infections.
Click to expand...

Quote from Copilot:
Browser hijackers can be challenging to remove because they often make modifications beyond the browsers, such as changing entries in the registry. This allows them to persistently remain on the system they are affecting

Malwarebytes might be unable to remove a browser hijacker due to several reasons:
  • The hijacker could have created certain policies or installed additional files that prevent its removal.
  • Sometimes, Malwarebytes might be unable to identify the malware. In such cases, manual intervention might be required to identify and remove the malware.
  • The presence of cracked or hacked programs can also make a computer a malware victim. Such programs are often the leading cause of ransomware encryptions and trojan infections.
Click to expand...

Aftermath
Some browser hijackers are programmed to make certain modifications beyond the browsers, like changing entries on the registry. Doing so allows it to persistently remain on the system it is affecting, and removing it will be a challenge. Hijackers can also cause instability on systems and severely disrupt user experience, especially when they bombard users with ads and redirect users to sites they would not normally visit themselves.
Click to expand...
Blog: Browser Hijackers | What is a Browser Hijacker & how to remove it? | Malwarebytes Labs
 
  • Like
Reactions: Nevi, icotonev, nicolaasjan and 2 others
nicolaasjan

nicolaasjan

Level 3
Thread author
May 29, 2023
142
Hmm...
Then Malwarebytes is not as powerful as I thought.

Could that be because the indicators of compromise are changing all the time (different extension names and ID's)?
(the registry part should be easy; Malwarebytes can reset Chrome policies to default)

Malwarebytes may also be hesitant to uninstall a complete browser?
 
  • Like
Reactions: Nevi, vtqhtr413, TairikuOkami and 1 other person
nicolaasjan

nicolaasjan

Level 3
Thread author
May 29, 2023
142
I found another variant of this shady browser: Artificius Browser. :cautious:
https://www.artificius.com/
Webpage looks remarkably similar.

SHA256: 924cbd3968ecae2a46102f47a08661f889fd6427a7e906f44090b818ae69a6dc

C:\Program Files (x86)\Artificius Browser Solutions C:\ProgramData\Artificius Browser Solutions C:\WINDOWS\system32\Tasks\ArtificiusUpdater C:\Users\user\AppData\Roaming\Artificius Browser Solutions C:\Users\user\AppData\Local\apps.crx HKLM\SOFTWARE\Policies\Mozilla\Firefox: Restriction HKLM\SOFTWARE\Policies\Google: Restriction HKLM\SOFTWARE\Policies\Microsoft\Edge: Restriction HKLM\SOFTWARE\Microsoft\Windows Defender: [DisableAntiSpyware] Restriction HKLM\SOFTWARE\Microsoft\Windows Defender: [DisableAntiVirus] Restriction

Again a generic "removal guide" on the MalwareTips blog...

VirusTotal screenshot:
Screenshot_2024-01-02.png
 
Last edited:
  • Like
Reactions: Nevi and roger_m

Similar threads

H
    • Like
    • +Reputation
    • Applause
Advice Request Choose your browser carefully
Replies
9
Views
2,315
Other Browsers
HarborFront
H
oldschool
    • Like
    • +Reputation
New Update Google’s Manifest V3 Still Hurts Privacy, Security, and Innovation
Replies
92
Views
11,592
Web Extensions
oldschool
oldschool
Gandalf_The_Grey
    • Like
    • +Reputation
Advice Request Opera browser and Opera GX are not blocking ads on YouTube
Replies
9
Views
2,256
Opera
Templarware
Templarware

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top