Threat Research

Browser Hijacking: Three Technique Studies

GDataSecurity
Browser Hijacking: Three Technique Studies

The article analyzes three distinct browser-hijacking techniques—modifying browser preference files, remotely controlling browsers by simulating key presses (a BRAT), and abusing Chromium command-line switches combined with registry tweaks and scheduled scripts—to illustrate detection and mitigation gaps. It provides sample file names, file paths, and hashes tied to AppSuite and other hijackers to help analysts create detections. #TamperedChef #BRAT

Keypoints

  • Browser preference files (e.g., Firefox prefs.js and Chrome Preferences / Secure Preferences) can be directly modified to change default search engines or other settings, and Chrome’s “Secure Preferences” HMAC protection is bypassable because the HMAC key is derived from system information.
  • Malware like AppSuite ships native components (e.g., UtilityAddon.node) that call system APIs (LookUpAccountName, ConvertSidToStringSid, GetSystemDirectory, GetVolumeInformation) to derive the values needed to compute Chrome’s Secure Preferences HMAC.
  • A new class of threat, termed BRAT (browser remote access tool), simulates key presses and shortcuts to remotely control browsers—navigating pages, changing the address bar, clicking ads, and downloading/executing additional software based on server commands.
  • Another hijacking method uses cracked software installers and bundled scripts (VBS/PowerShell) that run as scheduled tasks; a .reg file (disguised as temp_cleanup.ico) manipulates the registry to disable Chrome updates and allowlist a malicious extension.
  • Chromium’s –load-extension switch can be re-enabled by toggling DisableLoadExtensionCommandLineSwitch via registry/policy, allowing malware to load malicious extensions persistently; disabling browser updates keeps this workaround available on infected systems.
  • Indicators provided include multiple sample file hashes and file paths (e.g., UtilityAddon.node, temp_cleanup.ico, configuration.ps1) that analysts can use for detection and hunting.

MITRE Techniques

  • [T1053] Scheduled Task/Job – Used to persist and run VBS/PowerShell scripts on a schedule (‘It consists of VBS and Powershell scripts that run as scheduled tasks.’)
  • [T1059] Command and Scripting Interpreter – PowerShell and VBS are used to monitor WMI events, terminate and restart browsers, and manipulate settings (‘One of the PowerShell scripts, named configuration.ps1, monitors WMI events to listen for chrome.exe and edge.exe process starts.’)
  • [T1204] User Execution – Delivery via cracked NSFW game installers that users execute (‘This flavor of browser hijacker arrives with cracks of NSFW games like My Bimbo Dream.’)
  • [T1112] Modify Registry – A .reg file is used to change policies and registry entries to disable updates and allowlist an extension (‘This .reg file disables Chrome updates and allowlists a Chrome extension.’)
  • [T1562] Impair Defenses – The malware disables Chrome updates to prevent remediation and keep a Chromium workaround active (‘This malware disables Google Chrome updates via the policy settings; … Without any browser updates, the –load-extension workaround will stay available on already infected systems.’)
  • [T1105] Ingress Tool Transfer – BRAT functionality automates downloading and running additional software by simulating clicks and interactions in the browser (‘this key press approach also allows the browser hijacker to automatically click on advertisements and, more importantly, to download & run arbitrary additional software’)
  • [T1543] Create or Modify System Process – The hijacker terminates and restarts browser processes with modified command-line behavior to load its extension (‘Once the hijacker is aware of a process start, it terminates the browser and restarts it promptly with its own extension.’)

Indicators of Compromise

  • [File hash ] Sample malware binaries and components referenced in the article – 6022fd372dca7d6d366d9df894e8313b7f0bd821035dd9fa7c860b14e8c414f2, 6ae8c50e3b800a6a0bff787e1e24dbc84fb8f5138e5516ebbdc17f980b471512, and 3 more hashes
  • [File path / filename ] Browser preference and config files targeted or used by the hijackers – %APPDATA%MozillaFirefoxProfilesprefs.js; %LOCALAPPDATA%GoogleChromeUser DataDefaultPreferences (Secure Preferences)
  • [File path / filename ] Malicious installer/script files used in infections – %TEMP%temp_cleanup.ico (a .reg file), LOCALAPPDATADiagnosticNETconfiguration.ps1

Read more: https://www.gdatasoftware.com/blog/2025/11/38298-learning-about-browser-hijacking

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint