A fake ad blocking software lets attackers take over the power of computers in order to mine cryptocurrency. Analysts called this ransomining, which also encrypts data on the corrupted machines. Thus, attackers can then ask for a ransom.
Ad blocking – a pretext for attackers
The Monero Miner crytpocurrency ransominer managed to infect about 2,500 computers every day, in February.
To do this, hackers used the image of a legitimate mobile ad blocking software – AdShield. Thus, they disguised their malware as a Windows version of the software. Also, the malware impersonates the OpenDNS service.
So, when a user starts the program, this changes the DNS settings on the device. Thus, “all domains are resolved through the attackers’ servers,” according to SecureList. Also, they block access to certain antivirus websites, such as Malwarebytes.com.
Moreover according to the researchers, “after substituting the DNS servers, the malware starts updating itself by running update.exe”. The update also installs and runs a modified torrent client.
This sends the affected computer’s ID and the install details, to the command-and-control server (C2). Then, according to Kaspersky, it downloads the miner.
The malware encrypts files to hide better
According to the report, the modified client runs an .exe file. Its job is to obtain the parameters of the computer. This way, it helps the attackers generate “a unique set of files for each machine,” using C2. Thus, it obstructs detection.
The malware also makes sure that the miner operates without interruptions, and it creates a servicecheck_XX task, in Windows Task Scheduler. “XX are random numbers,” according to the report.
Avast detected the first Monero Miner campaign in August 2020. At that moment, the ransominer bug pretended to be an installer for Malwarebytes antivirus.
How to get rid of it
Kaspersky comes with a solution for the infected devices. Thus, users can remove the malware if they reinstall the legitimate file affected by the miner, i.e. AdShield, OpenDNS, NetshieldKit and the Transmission torrent.
Also, users should delete the folders named: C:\ProgramData\Flock, %allusersprofile%\start menu\programs\startup\flock and %allusersprofile%\start menu\programs\startup\flock2.
Still, if this pretends to be a Malwarebytes app, users should reinstall it or delete some folders if the program does not appear on the app list. These folders are: “%program files%\malwarebytes ” , “program files (x86)\malwarebytes”, “%windir%\.old\program files\malwarebytes” and “%windir%\.old\program files (x86)\malwarebytes.”
Also, users should delete the “servicecheck_XX task, which is in the Windows Task Scheduler.
Anyway, the best way to avoid the infection is for users to download only legitimate software.