Fake Ad Blocker Delivers Hybrid Cryptominer/Ransomware Infection – Threatpost

Newsletter
Join thousands of people who receive the latest breaking cybersecurity news every day.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.
Share this article:
A hybrid Monero cryptominer and ransomware bug has hit 20,000 machines in 60 days.
At its previous peak in February, the Monero Miner cryptocurrency ransominer was targeting more than 2,500 users a day, disguised as an antivirus installer. Now, the tricky hybrid malware is on the rise again, this time impersonating an ad blocker and OpenDNS service.
In total, it has infected more than 20,000 users in less than two months, researchers at Kaspersky warned, in a report on Wednesday.

Ransomining lets threat actors take over computing power to mine cryptocurrency — in this case Monero — and also encrypts the data to hold for ransom. In this case, the open-source XMRig ransominer is used as its base, Kaspersky said.
The malware, disguised as an application called “AdShield Pro,” looks and acts like Windows version of the legitimate AdShield mobile ad blocker, in addition to impersonating the OpenDNS service, the Kaspersky report explained.
“After the user starts the program, it changes the DNS settings on the device so that all domains are resolved through the attackers’ servers, which, in turn, prevents users from accessing certain antivirus sites, such as Malwarebytes.com,” Kaspersky researchers said. “After substituting the DNS servers, the malware starts updating itself by running update.exe.”
The updater also downloads and runs a modified Transmission torrent client, which sends the ID of the targeted computer along with install details to the command-and-control server (C2), and then downloads the miner, Kaspersky said.
Parts of the files are encrypted, to make it harder to identify, the report added.
“The modified Transmission client runs flock.exe, which first of all calculates the hash of the parameters of the infected computer and the data from the data.pak file, and then compares it with the hash from the lic.data file,” the report explained. “This is necessary because the C2  generates a unique set of files for each machine so as to hinder static detection and prevent the miner from running and being analyzed in various virtual environments.”
At this point, if the hashes don’t match, the execution is stopped, the report said. Otherwise the payload is decrypted and installed.
“To ensure the continuous operation of the miner, a servicecheck_XX task is created in Windows Task Scheduler, where XX are random numbers,” the report added. “The task runs flock.exe with the argument ‘minimize.’”
These attacks appear to be part of an earlier Monero Miner campaign first detected by Avast in August, which disguised the Monero ransominer bug as a Malwarebytes antivirus installer, researchers said.
Overall, users in Russia and Commonwealth of Independent States (CIS) countries are most likely to be targeted, they added.
Kaspersky added that the miner can be removed by reinstalling the legitimate file that it masquerades as.
If flock.exe is found on the device, researchers recommend uninstalling NetshieldKit, AdShield, OpenDNS and the Transmission torrent. They also recommend deleting these folders, if present:
If it’s pretending to be a Malwarebytes application, reinstall it — however if the program isn’t showing on the list of apps, delete the following folders:
Finally, they recommend deleting the “servicecheck_XX task in the Windows Task Scheduler.
To avoid the infection in the first place, users should download software only from legitimate sources and avoid pirated versions.
Check out our free upcoming live webinar events – unique, dynamic discussions with cybersecurity experts and the Threatpost community:
 
 
Share this article:
Nick Kael, CTO at Ericom, discusses how phishing is gaining sophistication and what it means for businesses.
“TinyTurla,” simply coded malware that hides away as a legitimate Windows service, has flown under the radar for two years.
Critical infrastructure appears to be targeted in latest ransomware attack, diminishing the hopes of governments to curb such attacks.
Oliver on March 11, 2021
Join thousands of people who receive the latest breaking cybersecurity news every day.
#BlackMatter, a #ransomware group believed to be a reincarnation of the #DarkSide cybergang, is being blamed for ta… https://t.co/5AN1iJnyzj
2 hours ago
Get the latest breaking news delivered daily to your inbox.
The First Stop For Security News
Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.

source

You might also like

Leave a Reply

Your email address will not be published. Required fields are marked *