Browser Hijackers Use File-in-the-Middle for Redirection

Two browser hijackers were recently observed using a file-in-the-middle attack between browser shortcuts and the actual browser to redirect users to the sites of their choice, Malwarebytes researchers warn.

According to researchers, while there isn’t additional proof that more browser hijackers will adopt this technique, it appears to be more than just a coincidence that two such threats, namely Dotdo Audio and HPRewriter2, have started employing it at the same time. Moreover, both use one of their own files to perform the nefarious activity, researchers have discovered.

Dotdo Audio is a new variant of the Dotdo strain of hijackers that has been spotted before, when it used different methods to get the job done. The newly observed version uses audio advertisements, while also replacing the browser executables with its own to achieve its purpose.

For that, the hijacker finds the firefox.exe and chrome.exe files and renames them by adding a number to the filename, after which it hides the renamed files and places its own in the same directory, under the original firefox.exe or chrome.exe name. Additionally, the malicious program alters the date of these changes, thus creating confusion.

“For the hijacker using the method of replacing files this has the advantage that they don’t have to follow the more common method of altering shortcuts. All the shortcuts the user has on his desktop, startmenu, taskbar, and anywhere else, can stay the same as the folder and filename they are pointing to are still valid and now under control of the hijacker,” Malwarebytes researchers explain.

After all these changes were made, when the user clicks on the browser shortcut, the false application is started. However, it would trigger the renamed firefox.exe or chrome.exe processes and add some extra instructions to them, which will result in the victim being able to surf the web as intended, while hearing the audio advertisements in the background.

The second browser hijacker found to use the file-in-the-middle approach is HPRewriter2, named this way after the entry it makes in the list of installed Programs and Features. This app was designed to change the browser on the compromised system to open with traffic-media[dot]co.

For that, the hijacker alters the browser shortcuts for Chrome, Firefox, Internet Explorer, Opera, and Yandex, and changes them to C:Users{username}AppDataRoamingHPRewriter2RewRun3.exe  {version number}. As it turns out, the version number is essential for the hijacker’s operation, as triggering Rewrun3.exe without it would accomplish nothing (it will not run). When triggered correctly, however, Rewrun3 opens the targeted browser with traffic-media[dot]co or another redirect.

According to security researchers, while these two hijackers are from different families and use different methods, they do have in common the fact that they alter browser behavior by using a file-in-the-middle between the shortcut and the actual browser. Additionally, they want the victims to hear/see their advertisements and are successful in their attempt.

Related: Maxthon Browser Sends Sensitive Data to China

Related: Amazon Kindle Browser Exposed Searches to MitM Attacks