Connect with us

Hi, what are you looking for?


Malware & Threats

Browser Hijackers Use File-in-the-Middle for Redirection

Two browser hijackers were recently observed using a file-in-the-middle attack between browser shortcuts and the actual browser to redirect users to the sites of their choice, Malwarebytes researchers warn.

Two browser hijackers were recently observed using a file-in-the-middle attack between browser shortcuts and the actual browser to redirect users to the sites of their choice, Malwarebytes researchers warn.

According to researchers, while there isn’t additional proof that more browser hijackers will adopt this technique, it appears to be more than just a coincidence that two such threats, namely Dotdo Audio and HPRewriter2, have started employing it at the same time. Moreover, both use one of their own files to perform the nefarious activity, researchers have discovered.

Dotdo Audio is a new variant of the Dotdo strain of hijackers that has been spotted before, when it used different methods to get the job done. The newly observed version uses audio advertisements, while also replacing the browser executables with its own to achieve its purpose.

For that, the hijacker finds the firefox.exe and chrome.exe files and renames them by adding a number to the filename, after which it hides the renamed files and places its own in the same directory, under the original firefox.exe or chrome.exe name. Additionally, the malicious program alters the date of these changes, thus creating confusion.

“For the hijacker using the method of replacing files this has the advantage that they don’t have to follow the more common method of altering shortcuts. All the shortcuts the user has on his desktop, startmenu, taskbar, and anywhere else, can stay the same as the folder and filename they are pointing to are still valid and now under control of the hijacker,” Malwarebytes researchers explain.

After all these changes were made, when the user clicks on the browser shortcut, the false application is started. However, it would trigger the renamed firefox.exe or chrome.exe processes and add some extra instructions to them, which will result in the victim being able to surf the web as intended, while hearing the audio advertisements in the background.

The second browser hijacker found to use the file-in-the-middle approach is HPRewriter2, named this way after the entry it makes in the list of installed Programs and Features. This app was designed to change the browser on the compromised system to open with traffic-media[dot]co.

For that, the hijacker alters the browser shortcuts for Chrome, Firefox, Internet Explorer, Opera, and Yandex, and changes them to C:Users{username}AppDataRoamingHPRewriter2RewRun3.exe  {version number}. As it turns out, the version number is essential for the hijacker’s operation, as triggering Rewrun3.exe without it would accomplish nothing (it will not run). When triggered correctly, however, Rewrun3 opens the targeted browser with traffic-media[dot]co or another redirect.

Advertisement. Scroll to continue reading.

According to security researchers, while these two hijackers are from different families and use different methods, they do have in common the fact that they alter browser behavior by using a file-in-the-middle between the shortcut and the actual browser. Additionally, they want the victims to hear/see their advertisements and are successful in their attempt.

Related: Maxthon Browser Sends Sensitive Data to China

Related: Amazon Kindle Browser Exposed Searches to MitM Attacks

Written By

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.