eFast browser deletes and replaces your Chrome Browser

Pierluigi Paganini October 20, 2015

Security researchers have documented the existence of a new strain of malware dubbed eFast browser that deletes and replaces the entire Chrome Browser.

Security experts from Malwarebytes have analyzed a new strain of  malware that attempts to delete Chrome and replace it with a bogus version that allows attackers to hijack several file associations including HTML, JPG, PDF, and GIF, as well as URLs associations including HTTP, HTTPS, and MAILTO.

“In this episode we take a look at a hijacker that installs a new browser rather than hijacking an existing one. It even attempts to replace Chrome if that is already installed. To make sure that you will use your new browser, eFast makes itself the default browser and takes over some file-associations. ” states the blog post published by Malwarebytes.

The eFast Browser is based on Google’s Chromium open-source software, its appearance is not different from the legitimate Google Chrome, in this way it doesn’t raise suspicion in the victims.

efast browser malware

The new malware belongs to the family of Adware, it is dubbed “eFast Browser” and it si able to do the following actions:

  • Generates pop-up, coupon, pop-under and other similar ads on your screen
  • Placing other advertisements into your web pages
  • Redirects you to malicious websites containing bogus contents
  • Tracking your movements on the web to help nefarious marketers send more crap your way to generating revenue

The eFast Browser is different from peers because it replacing the browser with a malicious copy of Chrome instead of taking control over it.

The eFast Browser installer remove all the shortcuts to the legitimate Google Chrome on the victims taskbar and desktop. It replaces any Chrome desktop website shortcuts with its own versions,

“The installer for eFast also deletes all the shortcuts to Google Chrome on your taskbar and desktop,” wrote Malwarebytes, “most likely hoping to confuse the user with their very similar icons.”

The malicious eFast Browser is developed by a company that calls itself Clara Labs, which is the author of similar browsers known as BoBrowser, Unico, and Tortuga.

Victims usually download the eFast Browser by launching software installers from untrusted sources on the Internet.

The experts also noticed that the eFast Browser drops a file called predm.exe in the folder %Program Files%\efas_en_110010107. Curiously the properties of the executable reveal that it is misdated by a week earlier than the installation date and that the “File description” is “AA setup”. Scanning the files with VirusTotal it is possible to verify that it is a strain of the Eorezo/Tuto4PC malware.

As it turns out this is another Eorezo/Tuto4PC variant according to these scanresults at Virustotal.

efast browser malware 2


If you have been infected follow the removal procedure published by PCRisk.

Pierluigi Paganini

(Security Affairs – eFast Browser,  malware)

you might also like

leave a comment