Has your Google Chrome browser been taking you to weird websites lately? You may have been infected by something called the Mutabaha Trojan.
That Trojan, according to Dr. Web researchers, looks and performs very similarly to Google Chrome. There are some small differences with the menu design, but aside from that, it’s virtually indistinguishable.
The most noticeable difference between the Mutabaha Trojan and the real Google Chrome is that the Trojan will take you to websites you don’t ordinarily visit.
How It Works
Dr. Web researchers report that the Trojan is installed on a victim’s computer by a previously-installed dropper.
This dropper then contacts a C&C server, which then tells the computer to download install Mutabaha. The dropper then removes itself, leaving you with an apparent version of Chrome.
When the program installs itself, it actually registers itself in the Windows registry, during which it launches several system services. It also creates tasks in the Windows Task Manager – so Windows overall thinks it’s a legitimate program.
More importantly, the Trojan uses a version of Chrome called Outfire – which is how it tricks you into thinking you’re still using Chrome.
All Your User Account Information is Copied Into the New Browser
You might think: “I could spot a fake version of Chrome. None of my user information would be there.”
Unfortunately for you, that’s not the case with the Mutabaha Trojan. The Trojan actually copies your user account information into the fake version of Chrome.
It also copies and modifies your Chrome shortcuts – so when you open Chrome via your usual button or taskbar shortcut, you’re actually opening the version of Outfire posing as Chrome.
Why Is It Dangerous?
Why would someone want to install a fake version of Chrome on your browser?
Well, after the Trojan is installed, the fake browser will display a home page that can’t be changed from your browser’s settings menu.
The Trojan also comes with a scammy extension that replaces advertisements on your websites – so the creators of the Trojan get advertising hits and clicks.
Finally, the Trojan also uses its own search engine. However, you can change this setting from the Settings menu.
Interestingly enough, the Trojan actually searches for and removes other fake browsers it finds on the target’s computer. And, it uses a Windows User Account Control (UAC) exploit that was only recently discovered – so this is a sophisticated operation.
If your Chrome browser has been acting funny lately, then you may have the Mutabaha Trojan. Download antivirus or anti-malware software like Total System Care to remove the Trojan.