Author’s Note: We at Malwarebytes continue to do our part in educating our product users and constant blog readers about day-to-day online threats and how they can avoid falling prey to them. “PUP Friday”, our latest attempt at getting users acquainted with files they may need to watch out for in the Wild Web, offers an in-depth look at some interesting and quite notable potentially unwanted programs (PUPs). Expect to see this type of content pushed out twice a month at the end of a work week.
Looking at the latest Yontoo browser hijackers leads us to believe that they have shifted their interest from Firefox to Chrome.
We have discussed Yontoo before as a PUP that has two faces. The official installer used to target Firefox and Internet Explorer. Now they have shifted to Chrome. A few in between have been doing both Chrome and Firefox, but were less intrusive towards Chrome. More precisely, they did not change the Start- and Home-page.
Why the change?
Of course we can only guess, but a good reason seems to be the fact that Firefox started disabling their browser Extensions as they could not be verified. So maybe we can chalk this one down as a victory for those guidelines.
What does it do to Chrome?
These are the permissions that the new version gets.
We took a closer look at the new versions of the Yontoo browser hijackers and took a stab at guessing why they made the switch from Firefox to Chrome.
Extra file information
Md5 Search New Window installer 1f9ec8189ce7a8e0b1057b518714ccca
Md5 Tide Search installer 4cdff17f8ab9b8056ecdcef35bdd26db
Md5 Search Voyage installer 89e2b736e401f53e3159b046b4b46ace
In our removal guides you can find additional screen-shots and logs showing the added files, folders and registry keys.
The hybrid version we used as an example:
As always: Save yourself the hassle and get protected.