wavebrowser.co - General Security (2022)

#1nullcatchems

nullcatchems


  • wavebrowser.co - General Security (2)
  • Members
  • 9 posts
  • OFFLINE
  • Local time:12:34 AM

Posted 10 May 2021 - 02:07 PM

Hi,

We have a few computers in our network that have this random browser installed and wondering if anyone else has seen this browser.

Here is a link that will take you to the download:

https://download.wavebrowser.co/?src=d-cp12177353273&ob=obgcobedobem&dvc=c&k=&crt=499772317102&adp=none&plc=doodle.com&tgt=boomuserlist%3A%3A6562905642&sl=&cpd=12177353273&gclid=EAIaIQobChMI3sml28rY7wIVRmNyCh3ApwwUEAEYASAAEgJ80fD_BwE

While we don't think this is malicious it is quite annoying. We have about 30,000 end points in our network and don't want to have to uninstall random browsers that are getting installed. From what I can tell the browsers is being installed or at least advertised to users after having signed up for doodle.com.

Any information/advice would be appreciated.

Thanks,

Null

Mod Edit :- This product is a Potentially Unwanted Program (PUP). Download and install at your own risk.


Edited by Chris Cosgrove, 11 May 2021 - 03:23 AM.
Moved from V&M removal to Generaal security

  • Back to top

BC AdBot (Login to Remove)

  • wavebrowser.co - General Security (4)
  • BleepingComputer.com
  • Register to remove ads

#2dconrad97

dconrad97


  • wavebrowser.co - General Security (6)
  • Members
  • 3 posts
  • OFFLINE
  • Local time:01:34 AM

Posted 10 May 2021 - 06:57 PM

Hello All!

I was hoping to reply to @nullcatchems about his question regarding Wave Browser. I'll post that reply below, but first I will introduce myself! I am dconrad97, and I enjoy malware research and analyses. I currently work in the cybersecurity field and I am working towards picking up CASP+ and maybe (just maybe) GREM someday. Moving on to the important stuff, here is what I was going to reply to @nullcatchems (and I will reply directly to that thread if I am able to after posting here).

-------------------------------

Howdy Null,

This is my first post, so I hope I'm doing this correctly and that this information is helpful. I've been digging into this Wave Browser for about a week or so now. Here's what I'm aware of thus far -

Naming Convention: Wave Browser_<string>_.exe - the string changes roughly every other day, but the file hash remains the same. SHA-256: 33111d45c6e463b267685b51faefb49565d3e517a30940338e285c52e019e1a6

Virus Total Detection: None

Joe Sandbox Detection: Malicious, Evasion, Spyware - https://www.joesandbox.com/analysis/407799/0/html

I've got a distribution graph you can check out as well that's also on VT, as well as an OTX pulse for this. The links are below. I've submitted every file I can to Comodo, OTX, Malshare, Intezer Analyze, etc. It matches some crowdsourced YARA rules, but there's no solid match for what it is as of now.

Distribution Graph: https://www.virustotal.com/graph/ge5b56010e172473e938f8d53477f0e636143d08226b14534a4794916bfc998bf

OTX Pulse: https://otx.alienvault.com/pulse/60937bee0757edc496498434

At this time, I believe the application is bad news, and it does have a similar file set up to some things I've seen in Intezer Analyze labeled for "ElectroRAT". Several of the strings contained in the unpacked PE are also exact matches for some interesting tools like Wireshark, Dameware, Monero, Sysinternals, etc. I don't want to point the finger and claim that Wavesor is an inherently bad company, however the heavy anti-evasion techniques and spyware found in the Joe Sandbox report do deserve attention. In addition, I've also seen the browser be downloaded from VLC's site, videolan.org. I hope this was helpful and informative, stay safe!

(Video) How to Remove ANY Virus from Windows 10 in ONE STEP in 2021


  • Back to top

#3buddy215

buddy215


  • wavebrowser.co - General Security (9)
  • Moderator
  • 18,515 posts
  • OFFLINE
  • Gender:Male
  • Location:West Tennessee
  • Local time:12:34 AM

Posted 10 May 2021 - 07:59 PM

Welcome to BC....

That topic is in the Malware removal forum. Only some staff and team members can post on topics in

that forum.

Thanks for the info. Since that browser was not intentionally downloaded and installed....I thought best

to have the computer checked by the malware removal team.


“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
If we are to have another contest in the near future of our national existence, I predict that the dividing line will not be Mason and Dixon’s, but between patriotism and intelligence on the one side, and superstition, ambition, and ignorance on the other. Ulysses S. Grant...Republican president who correctly predicted the cause of Trump's attempted coup.

  • Back to top

#4buddy215

buddy215


  • wavebrowser.co - General Security (12)
  • Moderator
  • 18,515 posts
  • OFFLINE
  • Gender:Male
  • Location:West Tennessee
  • Local time:12:34 AM

Posted 11 May 2021 - 06:18 AM

Using the search term wave browser removal - Google Search

the first result from How to get rid of Wave-abstract.com Redirect - virus removal guide

I don't know if the extension is related to this topic or not.

QUOTE a bit:

What is wave-abstract.com?

According to the developers, Wave Abstract is a legitimate application that supposedly allows users to change the design of their homepages. Judging on appearance alone, Wave Abstract may seem legitimate, however, it is categorized as a potentially unwanted program (PUP) and a browser hijacker. The main reasons for these negative associations are installation without users' consent, stealth modification of web browser options, and information tracking. END QUOTE


Edited by buddy215, 11 May 2021 - 06:19 AM.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
If we are to have another contest in the near future of our national existence, I predict that the dividing line will not be Mason and Dixon’s, but between patriotism and intelligence on the one side, and superstition, ambition, and ignorance on the other. Ulysses S. Grant...Republican president who correctly predicted the cause of Trump's attempted coup.

  • Back to top

#5nullcatchems

nullcatchems

  • Topic Starter

  • wavebrowser.co - General Security (15)
  • Members
  • 9 posts
  • OFFLINE
  • Local time:12:34 AM

Posted 11 May 2021 - 08:52 AM

If this was a one off thing in our network it wouldn't be a big deal but we are seeing this browser popup in several departements that are not necessarily connected. Right now we are taking the stance of reimaging the machine and I suspect we will block wavebrowser.co at the firewall but since there isn't that much information out there on wavebrowser.co/wavesor I wanted to get this out there in case something in this browser.

While it may not be super ethical for a dev to force the download on you I understand it is a tactic. However, this tactic makes the software look more suspicious to me.

(Video) Windows 10: How To Remove A Browser Hijacker


  • Back to top

#6buddy215

buddy215


  • wavebrowser.co - General Security (18)
  • Moderator
  • 18,515 posts
  • OFFLINE
  • Gender:Male
  • Location:West Tennessee
  • Local time:12:34 AM

Posted 11 May 2021 - 09:17 AM

Below copied from a PM to me from dconrad97

I believe that the Wave-Abstract browser redirect comes from a different parent company called "Extinns LTD", while this "Wave Browser" comes from Wavesor, which is owned by Polarity Technologies Ltd. Here are some sources below:

Wave-Abstract, Extinns LTD: https://www.2-viruses.com/remove-wave-abstract-com-hijacker - Scan this link in VT

Wave Browser, Wavesor, Polarity Technologies Ltd: https://i-cyprus.com/company/580204 - Scan this link in VT

In addition, I certainly agree with your warning message. It does seem to be downloading itself at a rather alarming rate across a variety of networks, without much information or vetting of the application.

V/R,

Daniel Conrad

The warning message mentioned was the one added in the opening post.....

Mod Edit :- This product is a Potentially Unwanted Program (PUP). Download and install at your own risk.


Edited by buddy215, 11 May 2021 - 09:19 AM.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
If we are to have another contest in the near future of our national existence, I predict that the dividing line will not be Mason and Dixon’s, but between patriotism and intelligence on the one side, and superstition, ambition, and ignorance on the other. Ulysses S. Grant...Republican president who correctly predicted the cause of Trump's attempted coup.

  • Back to top

#7dconrad97

dconrad97


  • wavebrowser.co - General Security (21)
  • Members
  • 3 posts
  • OFFLINE
  • Local time:01:34 AM

Posted 11 May 2021 - 11:51 AM

Additional Information:

Wavebrowser_ajpko2tb_.exe - Downloaded on 5/10/2021, 62,792KB - SHA-256:33111d45c6e463b267685b51faefb49565d3e517a30940338e285c52e019e1a6

Wavebrowser_frpc0m9a_.exe - Download on 5/11/2021, 934KB - SHA-256: 095e81425ebd375ebc1030b5c3cf03ff4321f58f25b3b86549512097366721f4

Key Differences & Similarities:

Wavebrowser_ajpko2tb_.exe is the full download, and does not need to reach back out to any server to install the Wave Browser (comes from hxxps://wavebrowser.co)

Wavebrowser_frpc0m9a_.exe is the network installer, it does need to reach out in order to install the rest of the browser. (comes from Doodle, VLC, or other "drive-by" sites)

Either way, both files will end up unpacking the same executables, DLLs, etc, if the file is executed (and assuming the network allows, for the network installer)

Ties to Genimous Technology Co Ltd.

Wavesor has been tied to Genimous Technology Co Ltd, which was mentioned to be malicious here (please read) -

https://medium.com/against-surveillance-capitalism/how-a-chinese-company-built-a-250-million-search-hijacking-empire-35f957566852

Wavebrowser -> Wavesor -> Polarity Technologies Ltd. -> Genimous Investment -> Genimous Technology Co Ltd.

https://en.everybodywiki.com/Polarity_Technologies_LTD

Medium Article Excerpt:

"Genimous is collecting and storing sensitive user data, including search queries, on Chinese servers, notwithstanding the extensions’ privacy policies which can be modified at any time, where the data are subject to Chinese laws on data privacy. While their privacy policies claim not to store “identifying” user data, past research has found how easy it is to de-anonymize data. Potentially sensitive searches could then be linked to users."

(Video) Brave Browser Review 🎯 How Safe is This Web Browser? (2022)

Personal Advice:

Stay away from Wave Browser, this is the same parent company behind all of those horrible browser hijackers. Though I can't be certain if the application is only collecting data or doing something more malicious, I am certain that it should be avoided. Genimous has clearly returned after being booed off of the market (at least by Mozilla, mentioned in the Medium article), this time with a complete application.


Edited by dconrad97, 11 May 2021 - 01:36 PM.

  • Back to top

#8gringots

gringots


  • wavebrowser.co - General Security (24)
  • Members
  • 8 posts
  • OFFLINE
  • Gender:Male
  • Location:Brazil
  • Local time:12:34 AM

Posted 12 May 2021 - 03:11 AM

Hi nullcatchems

Download the tool:ZHPCleaner

https: //nicolascoolman.eu/download/telechargez-zhpcleaner-gratuit/

Once on the page, click: "TÉLÉCHARGEZ ZHPCLEANER (GRATUIT)".


Save it to the desktop! (ZHPCleaner.exe)
Run ZHPCleaner.exe <<
Click "I".
Click "Scanner", where it will make the diagnosis.

Wait for completion!
Click "Report" when done!
Post the log of diagnosis: ~ Type: Scanner

Ps: This French tool is great for detecting problems in browsers.

[]s


  • Back to top

#9dconrad97

dconrad97


  • wavebrowser.co - General Security (27)
  • Members
  • 3 posts
  • OFFLINE
  • Local time:01:34 AM

Posted 12 May 2021 - 11:09 AM

Gringots,

I'm not so sure that ZHPCleaner is a good option for this, and it's a bit suspicious in Virus Total and Hybrid Analysis. Google Safe Browsing also detects the site hosting this tool as malicious. For the time being, I would agree with nullcatchems' stance of a re-image, until there is more information out about the Wave Browser.

Sources:

Virus Total - https://www.virustotal.com/gui/file/a859abba730e324bfbe52f754158f799d4095abb387caebee6de74f8a45afa3d/detection

Hybrid Analysis - https://hybrid-analysis.com/sample/a859abba730e324bfbe52f754158f799d4095abb387caebee6de74f8a45afa3d

URLscan- https://urlscan.io/result/5a168e92-9c04-4281-8b5a-450724c01a2b/


  • Back to top

#10gringots

gringots


  • wavebrowser.co - General Security (30)
  • Members
  • 8 posts
  • OFFLINE
  • Gender:Male
  • Location:Brazil
  • Local time:12:34 AM

Posted 12 May 2021 - 12:21 PM

Hi dconrad97

(Video) Top 5 BEST Browsers For Privacy

< dconrad97 - said > Google Safe Browsing also detects the site hosting this tool as malicious.

---

---

If you are referring to the download link for ZHPCleaner, it is safe and my antivirus 360 did not give the alert.

But my instruction to ZHPCleaner, was diagnostic

because I suspected a hijacking action.

[]s


  • Back to top

#11nullcatchems

nullcatchems

  • Topic Starter

  • wavebrowser.co - General Security (33)
  • Members
  • 9 posts
  • OFFLINE
  • Local time:12:34 AM

Posted 13 May 2021 - 09:30 AM

Thanks for the input. It is kind of a bummer that companies result to tactics like this and we cannot just block download.wavebrowser.co if they have injected the download into doodle.com's exe or vlc. We don't allow users to manage extensions in their browsers since our image is carefully managed and anything that requires an exe needs an admin password. We will continue to monitor the situation and will post if I have any other updates.


  • Back to top

#12gringots

gringots


  • wavebrowser.co - General Security (36)
  • Members
  • 8 posts
  • OFFLINE
  • Gender:Male
  • Location:Brazil
  • Local time:12:34 AM

Posted 15 May 2021 - 08:26 PM

Hi /!\ nullcatchems /!\

If you are knowledgeable, you can make use of this Kaspersky tool in your search.
--
--
Download:avz4en.zip (... by Oleg Zaitsev)

avz4en.zip

Save it to Program files or desktop!

Unzip it to the desktop!

wavebrowser.co - General Security (37)

Open the folder avz5 and run the application, with a double click. << Shield and sword icon!
Connect to the Internet, and update the Toolkit. >> "File" >> "Database Update".
Or here:

wavebrowser.co - General Security (38)

In conclusion, do not do any verification.
No check the box "Enable malware removal mode" since, being at its heuristic maximum, we can have removals unwanted.
We are only interested in the report (log), where possible cool will be carried out by script.
Click on the menu "AVZPM" >> "Install extended monitoring driver".
This driver will have its importance in the detection by rootkit. (AVZ-RK Kernel Driver)

wavebrowser.co - General Security (39)

<< Search scope!

In the "Search scope" tab, check only the boxes, according to the image.

wavebrowser.co - General Security (40)

<< File types!

In the "File types" tab, check the box "Exclude files matching the template" and, in the field, type "*. Zip". << Without the quotes!

wavebrowser.co - General Security (41)

<< Search parameters!

In the "Search parameters" tab, set Heuristic analysis to "Maximum heuristics mode".
Check the "Extended analysis" box.
Under Winsock Service Provider, check all the boxes.
No check the box "Report clean objects", for the report summary.
In the "Automatic actions" menu, do not check the option: "Enable malware removal mode"

Disable your antivirus or antispyware, so that avz files are not detected and /or blocked.
Close your browser, and run the tool! << Click on Start.
Completing the scan, click on the "Save log" icon to obtain the report. (avz_log)
Save this report to the desktop!
Open the avz5 again!
Click "File" >> "System Analysis".

wavebrowser.co - General Security (42)

<< Results of system analysis!

Leave the markings as shown in the image!

Click on wavebrowser.co - General Security (43) << Wait!

Upon completion of this scan, send the zipped file to a server. (virusinfo_syscheck.zip)

Or attach your zip.

(Video) 10 EASY Ways to Know if Your Computer is Being HACKED | Chaos

Copy and post: avz_log.txt + Link to virusinfo_syscheck.zip
If you want, include avz_log.txt in the same 'zip' where virusinfo_syscheck is located.

[]


  • Back to top

Videos

1. TOP 6 WEB BROWSERS! (5 out of 6 are Blue!)
(Luke Smith)
2. A Case Study in Improving Security through Static Code Analysis — SVNUG Presentation 29
(svnug)
3. How to Remove Virus from Windows 11
(Britec09)
4. This Will Clean Your Computer Viruses (Malware)
(Hardware Savvy)
5. How to Delete leftover Files and Registry Keys of uninstalled Program On Windows 11,10,8 and 7
(Knowledge Hub)
6. Browser Notifications: a feature asking to be abused
(Enderman)

You might also like

Latest Posts

Article information

Author: Rob Wisoky

Last Updated: 09/30/2022

Views: 6411

Rating: 4.8 / 5 (48 voted)

Reviews: 95% of readers found this page helpful

Author information

Name: Rob Wisoky

Birthday: 1994-09-30

Address: 5789 Michel Vista, West Domenic, OR 80464-9452

Phone: +97313824072371

Job: Education Orchestrator

Hobby: Lockpicking, Crocheting, Baton twirling, Video gaming, Jogging, Whittling, Model building

Introduction: My name is Rob Wisoky, I am a smiling, helpful, encouraging, zealous, energetic, faithful, fantastic person who loves writing and wants to share my knowledge and understanding with you.