Internet World Wide Web Abstract Tech Background

CrossBrowse: another Chromium project

Author’s Note: We at Malwarebytes continue to do our part in educating our product users and constant blog readers about day-to-day online threats and how they can avoid falling prey to them. “PUP Friday”, our latest attempt at getting users acquainted with files they may need to watch out for in the Wild Web, offers an in-depth look at some interesting and quite notable potentially unwanted programs (PUPs). Expect to see this type of content pushed out twice a month at the end of a work week.


After we wrote about the eFast browser a few weeks ago, we found another Chromium based browser that installs itself as the default browser and delivers advertisements.

CrossBrowse is a member of the Crossrider family of browser hijackers and adware, and we have seen it before when it just hijacked existing browsers. It still does that, but now it also removes the shortcuts to your default browser from the desktop, the start-menu and the taskbar while adding shortcuts to itself in these same places.

icons

CrossBrowse grabs the file-associations for:

  • htm
  • html
  • shtml
  • webp
  • xht
  • xhtml

And the URL-assiociations (protocols):

  • ftp
  • http
  • https
  • irc
  • mailto
  • mms
  • news
  • nntp
  • sms
  • smsto
  • tel
  • urn
  • webcal
warning1

The Firefox extension is called MyBrowser

To ensure that your newly “installed” browser gets “runtime” it also creates two startup entries. One by dropping a link in the Startup folder and one by creating a Registry Run-key for the current user.

O4 - HKCU..Run: [GoogleChromeAutoLaunch_CF2B7C6F9D79411F351BC515B29E4ACE] "C:Program Files (x86)CrossbrowseCrossbrowseApplicationcrossbrowse.exe" --no-startup-window

O4 - Startup: crossbrowse.lnk = C:Program Files (x86)CrossbrowseCrossbrowseApplicationcrossbrowse.exe

Note the “GoogleChromeAutoLaunch” in the name of the Run-key which probably aims to mislead the user. And the use of the “–no-startup-window” switch which, according to their website:

does not automatically open a browser window on startup (used when launching Chrome (Chromium) for the purpose of hosting background apps).

The first site it opens is plusnetwork[dot]com, which is notorious for the active hijacks to that domain.

site1

As a bonus there will be three Scheduled Tasks, one typical for CrossBrowse and two that are similar to the ones we see in most Crossrider installs.

warning3

If you want to remove it using the Uninstall in “Control PanelProgramsPrograms and Features” be aware that there are two entries created by this install.

warning4

This family of browser hijackers will typically come from a bundle installer. The install and some of the connections the CrossBrowse browser tries to make are blocked by Malwarebytes Anti-Malware Premium. The installers are detected as PUP.Optional.CrossRider.

protection1
protection2

As always: “Save yourself the hassle and get protected.

Resources

Pieter Arntz

ABOUT THE AUTHOR

Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.