Watch out for new browser hijacker – tolmkat

Recently, X-Sec Labs caught a new browser hijacker – tolmkat, which comes from China, it has 32-bit & 64-bit version.

Behavior:

  • Hijack browsers to specific pages, add extra parameters at the end of their shortcut link to let them open specific pages
    • Included browser:
      • iexplore.exe(Microsoft Internet Explorer)
      • chrome.exe(Google Chrome)
      • firefox.exe(Mozilla Firefox)
      • 360se.exe(Qihoo 360 Security Browser)
      • 360chrome.exe(Qihoo 360 Browser)
      • QQBrowser.exe(QQ Browser)
      • 2345Explorer.exe(2345 Browser)
      • 2345chrome.exe(2345 Browser)
      • baidubrowser.exe(Baidu Browser)
      • SogouExplorer.exe(Sogou Browser)
      • Maxthon.exe(Maxthon Browser)
      • liebao.exe(Cheetah Browser)
      • UCBrowser.exe(UC Browser)
  • Get config from server
  • Use kernel driver to protect itself
    • Driver is signed, a valid certificate
      • Signer: 深圳市忆艺科技有限公司
      • Sign date: 2016.6.21

Using X-Sec Antivirus can detect them easily~

X-Sec Antivirus detected tolmkat
X-Sec Antivirus detected tolmkat

Related MD5:

C1D4BBBA4B1BF363AEF1CDEB1C6008F4

5A61DAB6C238733A85785B14A763C5AA

46E9CE826393CEFF27BC3B0D35EF15EF

C87E2DF5D5FC8B5AC456995D09334131

E0288AECF2A061999489FA4644D5A9C0