Search hijackers change Chrome policy to remote administration

The latest type of installer in the saga of search hijacking changes a Chrome policy which tells users it can’t be removed because the browser is managed from the outside.

As you can imagine, that has freaked out quite a few Chrome users.

We have talked about the search hijacker’s business model in detail. Suffice to say, it is a billion-dollar industry and a lot of search hijackers want a piece of this action as even a small portion can amount to a hefty income.

One search hijacker doesn’t generate large amounts of cash for threat actors, like ransomware or banking Trojans. So, the publishers are always looking for ways to get installed on large numbers of systems and stay installed for as long as possible.

It also should not come as a surprise that ethics are no priority for many of them. As long as they can rake in their redirect fees, they couldn’t care less about your inconvenience of being stuck with a default search provider that you would not have picked yourself.

What have they done this time?

We were alerted by some of our customers who said they were unable to remove Chrome extensions as they ran into this restriction:

managed2w 600x304 1

Basically, this is telling the user that the browser may be managed outside of Chrome and the administrator has installed an extension. Even users that have Administrator accounts on the affected systems are unable to remove these extensions.

The extension in question is easily spotted in an overview of all the installed extensions as it is the one that has no “Remove” option.

no remove
There is no “Remove” button for the spotted search hijacker

We have found several of these search hijackers in the Chrome webstore but installing them from there does not lead to the “managed browser symptoms.” It takes a Windows installer to make the necessary registry changes, so users that installed it from the webstore should be able to remove it themselves in the normal way.

Capita webstore
Installed from the webstore the extensions have a “Remove” button

What all the hijackers that use the managed browser technique have in common is that they add the registry keys:

HKEY_LOCAL_MACHINESOFTWAREPoliciesChromiumExtensionInstallForcelist    
 HKEY_LOCAL_MACHINESOFTWAREPoliciesGoogleChromeExtensionInstallForcelist

under which the forced extensions are numerated as registry values like this:

"1"="REG_SZ", "lpfpbajbnhddlpljjnfndngbkkfkjfna;https://clients2.google.com/service/update2/crx"

The description in the Chromium documentation about the ExtensionInstallForcelist states:

Specifies a list of apps and extensions that are installed silently, without user interaction, and which cannot be uninstalled nor disabled by the user.

How do these hijackers land on victim’s systems?

We are not completely sure but we did manage to round up some stand alone installers from the Temp folder on affected Windows systems. And it looks as if these installers were part of a bundler.

What victims will typically see is an installer notice like this one:

warning1

and then nothing until they open Chrome and see this new tab:

warning3 600x330 1

and the “your browser is managed by a remote administrator” type of comment scattered throughout the Chrome menu and settings.

managed

Search hijackers in general

Search hijackers come in different flavors. Basically, they can be divided into three main categories if you look at their methodology:

  • The hijacker redirects victims to the best paying search engine.
  • The hijacker redirects victims to their own site and show additional sponsored ads.
  • The hijacker redirects victims to a popular search engine after inserting or replacing sponsored ads.

By far the most common vehicle are browser extensions, whether they are called extensions, add-ons, or browser helper objects. But you will see different approaches here as well:

  • The extension lets the hijacker take over as the default search engine.
  • The extension takes over as “newtab” and shows a search field in that tab.
  • The extension takes permission to read and change your data on websites. It uses these permissions to alter the outcome of the victim’s searches.

This family is of the kind that uses their own site as a redirect to the search engine they get paid by, and the extension takes over as default search engine. The default is the one that gets queried when the user searches from the address bar.

Removal

Malwarebytes recognizes these hijackers and removes them from affected systems. You can find a few removal guides on our forums:

Removal guide for Mazy Search

Removal guide for SearchSpace

And at the rate they are pushing out new ones, more will probably follow.

IOCs

Extension identifiers

fhmghdmcgkkdadabbnkmnejhoncccjio (Capita)

lpfpbajbnhddlpljjnfndngbkkfkjfna (search space)

fifailmmmlkdabfkkoejgffjdfgbieji (Mazy)

Domains

search-space.net

mazysearch.com

capita.space

defaultsearch.link

Stay safe everyone!

The post Search hijackers change Chrome policy to remote administration appeared first on Malwarebytes Labs.

Original Source