Browsefox aka Sambreel aka Yontoo is a family of browser hijackers. When advertised they promise to “customize and enhance your interaction with the websites you visit”, but in reality they are almost never a users choice install. They come bundled with other software at many major download sites and at best you will see this screen when the installation starts.
High Stairs is one of the latest additions to this family.It is being offered as a browser extension without making clear what it does for the user.
The software is free to use, but is supported by advertising (including banner, browsing-related, transitional, text link, interstitial and full page advertisements).
Part of their site is blocked if you have Malwarebytes Anti-Malware Premium installed and Malicious Website Protection enabled.
Browser hijackers of this family are VM aware, meaning they will not do a full install if they detect they are run on a Virtual Machine. Sometimes the files are downloaded and put in place, but the extensions are not installed and enabled.
The hijackers from this family do provide browser extensions for IE, Firefox, Chrome and Opera (and probably more).
Having a closer look at “High Stairs” in particular we found a string inside the Browser Helper Object (IE extension) that deserved a closer look.
These invisible iframes can be used to deliver anything and everything to your computer, ranging from advertisements (which is very likely in this case) to (in theory) exploit kits. In theory in this case means, that we haven’t seen any exploit kits being delivered through the advertisements these PUPs deliver, but if the PUP has a vulnerability or their network is compromised a third party could use this in the same manner as has been done with malvertisements on legitimate sites.
This browser hijacker is relatively easy to remove. Other variants have been known to install services as well, making them a bit harder to tackle. Unfortunately “High Stairs” is not alone. We see a new Sanbreel variant at least a few times every week.
The installer and the installed files are all detected as
Logs, more screenshots and removal instructions for “High Stairs” can be found on the Malwarebytes forums.