While adware is usually considered annoying for users and relatively harmless to enterprise security, the adware campaigns we’ve seen since the beginning of 2016 behave more like advanced network threats.
One particularly persistent adware attack piqued our interest around March. This APT attack leverages PowerShell, a Windows scripting language, to execute commands and remain persistent on the host machines. Along with creating hourly scheduled tasks, the adware also has the potential to download additional malicious code and direct the user to compromised websites.
The IOCs from our samples include the following hosts and IPs:
• Beautyfile[.]info
• sunlongo[.]info
• finhoome[.]info
• contexfix[.]info
• customsky[.]net
• easypop[.]info
• unitdata[.]info
• fliparray[.]info
• secureb[.]info
• tablezip[.]info
• forallshop[.]info
• macrosoftman[.]info
• openyes[.]info
• secureb[.]info
• forallshop[.]info.
• 37.48.119.38
• 50.63.202.63
• 146.112.61.107
• 185.17.184.6
• 185.17.184.10
• 185.17.184.11.
Domain registration links Russian actors to the adware attack
A domain investigation showed that all the domains from our samples were registered in December 2015, explaining the uptick in infections. An investigation revealed that some of them were registered to Malik Kerimov, using the email addresses kerimovgan[@]autorambler.ru and kerimovga*[@]autorambler.ru. The same email addresses were used to register additional websites that were associated with malicious activity and may even be part of the campaign that infected our customers.
“@autorambler.ru” is a format used by a Russian email provider named mail.rambler.ru and is not common among non-Russian speakers, suggesting that the campaign is associated with a Russian-speaking actor.
Infection Vector
According to multiple Internet forums, people were infected after downloading the installer for either FitBit health trackers or TomTom GPS devices. We’ve seen no evidence of this but did find that the adware was downloaded with another unwanted program called Genius, a sample of which was first detected in late 2015.
The use of PowerShell in-depth
The analysis of the adware showed that it uses PowerShell to execute the following base64 encoded command:
C:\Windows\system32\WindowsPowershell\v1.0\powershell.exe –nologo –executionpolicy bypass –noninteractive –windowstyle hidden –encodedcommand. The report's appendix contains the very long encoded command that changes every time.
Cisco and Malwarebytes analyzed the URL within the encoded command in detail and found that it contained additional instructions to change the host machine’s DNS settings. By modifying the configuration of the name server, the adware, which Cisco and Malwarebytes refer to as DNSChanger, takes complete control of a browser and redirects people to compromised websites.
Within the strings of the PowerShell commands we found references to known malware and unwanted programs, such as DNS Unlocker, System Healer, One SystemCare and Any Flix, among others. Several users were infected with one of these programs after getting infected by the adware.
