Watch out for new browser hijacker – tolmkat

Recently, X-Sec Labs catched a new browser hijacker – tolmkat, which comes from China, it has 32-bit & 64-bit version.

Behavior:

  • Hijack browsers to specific pages, add extra parameters at the end of their shortcut link to let them open specific pages
    • Included browser:
      • iexplore.exe(Microsoft Internet Explorer)
      • chrome.exe(Google Chrome)
      • firefox.exe(Mozilla Firefox)
      • 360se.exe(Qihoo 360 Security Browser)
      • 360chrome.exe(Qihoo 360 Browser)
      • QQBrowser.exe(QQ Browser)
      • 2345Explorer.exe(2345 Browser)
      • 2345chrome.exe(2345 Browser)
      • baidubrowser.exe(Baidu Browser)
      • SogouExplorer.exe(Sogou Browser)
      • Maxthon.exe(Maxthon Browser)
      • liebao.exe(Cheetah Browser)
      • UCBrowser.exe(UC Browser)
  • Get config from server
  • Use kernel driver to protect itself
    • Driver is signed, a valid certificate
      • Signer: 深圳市忆艺科技有限公司
      • Sign date: 2016.6.21

Using X-Sec Antivirus can detect them easily~

X-Sec Antivirus detected tolmkat
X-Sec Antivirus detected tolmkat

Related MD5:

C1D4BBBA4B1BF363AEF1CDEB1C6008F4

5A61DAB6C238733A85785B14A763C5AA

46E9CE826393CEFF27BC3B0D35EF15EF

C87E2DF5D5FC8B5AC456995D09334131

E0288AECF2A061999489FA4644D5A9C0

Common types of Trojan

  • Downloader: Download other malwares
  • Dropper: Drop other malwares
  • Injector: Inject its code into other process(the injected process usually not malicious), let the injected process do something evil
  • InfoStealer: Steal users’ privacy infomation, such as card number, username & password, cookies, etc
  • Ransomware: Encrypt users’ personal files, then ask for some money to decrypt.[How to avoid ransomware infected your computer?]

How to identify phishing site

Phishing site is one of the most popular threats for Internet users. We should not only rely on our security products, it’s very easy to create a new phishing site with few changes on the source codes which hackers already had.

So, it’s time to identify phishing site by ourselves!

  • Domain: We recommend you remember some common domains(Google, Paypal, Apple, etc), before you login & pay, check its domain first!
    • Google Accounts: https://accounts.google.com/
    • Google Docs: https://docs.google.com/
    • Paypal: https://www.paypal.com/signin
    • Apple ID: https://appleid.apple.com/
    • iCloud: https://www.icloud.com/
  • HTTPS: Most of the login/pay pages use HTTPS to secure data-transfer(like the URL I mentioned above, URL begins with “https://”), don’t forget to check it![But now, some of phishing site also uses HTTPS, do not rely on it too much :-)]
  • Content: In some of phishing sites, its image quality is much lower than official site. And its content also has some spell error.
  • Link: Most of the phishing sites don’t maintain all of the links inside its page(usually copy from official site), or just link to itself, it’s also a good way to identify phishing site.