Recently, X-Sec Labs caught a new browser hijacker – tolmkat, which comes from China, it has 32-bit & 64-bit version.
Behavior:
- Hijack browsers to specific pages, add extra parameters at the end of their shortcut link to let them open specific pages
- Included browser:
- iexplore.exe(Microsoft Internet Explorer)
- chrome.exe(Google Chrome)
- firefox.exe(Mozilla Firefox)
- 360se.exe(Qihoo 360 Security Browser)
- 360chrome.exe(Qihoo 360 Browser)
- QQBrowser.exe(QQ Browser)
- 2345Explorer.exe(2345 Browser)
- 2345chrome.exe(2345 Browser)
- baidubrowser.exe(Baidu Browser)
- SogouExplorer.exe(Sogou Browser)
- Maxthon.exe(Maxthon Browser)
- liebao.exe(Cheetah Browser)
- UCBrowser.exe(UC Browser)
- Included browser:
- Get config from server
- Use kernel driver to protect itself
- Driver is signed, a valid certificate
- Signer: 深圳市忆艺科技有限公司
- Sign date: 2016.6.21
- Driver is signed, a valid certificate
Using X-Sec Antivirus can detect them easily~
Related MD5:
C1D4BBBA4B1BF363AEF1CDEB1C6008F4
5A61DAB6C238733A85785B14A763C5AA
46E9CE826393CEFF27BC3B0D35EF15EF
C87E2DF5D5FC8B5AC456995D09334131
E0288AECF2A061999489FA4644D5A9C0