Malware News Trojan Uses Recently Disclosed UAC Bypass to Install Fake Chrome Browser

Jack

Administrator
Thread author
Verified
Staff Member
Well-known
Jan 24, 2011
9,378
A new trojan identified as Trojan.Mutabaha.1 uses a recently disclosed UAC bypass technique to install a heavily modified Outfire browser that replaces the user's native Google Chrome browser.

trojan-uses-recently-disclosed-uac-bypass-to-install-fake-chrome-browser-507760-2.png

Outfire, which is a Chromium-based browser, looks very much like Chrome, with minimal changes to its setup. As such, the browser makes a fine choice for tricking the user into thinking they're using Chrome, when they're not.

Mutabaha was created between August 15 and 18
The Mutabaha trojan is one of the latest additions to the malware market. At this moment, researchers don't know how crooks are distributing the trojan to victims, but they found out how it infects their computers.

Russian security vendor Dr.Web says the trojan uses a UAC bypass technique to execute a series of files and commands on infected PCs without triggering the Windows UAC (User Account Control) alert.

The technique was only recently disclosed by two security researchers on August 15, two weeks ago. Their UAC bypass technique, which we explained in a previous article, uses the Windows Event Viewer built-in utility to skirt UAC protections.

Dr.Web says that Mutabaha appeared just three days after researchers published their UAC bypass method. When users run the trojan, it uses a system registry key to launch a program with elevated privileges that downloads and installs a malware dropper and a BAT file.

Crooks replace default Chrome with new browser called Outfire

This malware dropper downloads the Outfire browser and installs it automatically. After the installation ends, the BAT (Windows Batch) file deletes the malware dropper.

During installation, Outfire adds itself to the Windows Registry to gain boot persistence, removes Google Chrome shortcuts from the system, and imports Chrome settings into its own.

Read more: Trojan Uses Recently Disclosed UAC Bypass to Install Fake Chrome Browser
 

_CyberGhosT_

Level 53
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Aug 2, 2015
4,286
Its not getting past Voodoo Shield, and it's my surrogate UAC.
This is scary in that it is delivering an annoyance, but it could be configured to deliver
a much more nasty payload.
Thanks for this Heads Up Jack :)
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top