Categories: News

Hackers use fake ad blocking software for ransomining

A fake ad blocking software lets attackers take over the power of computers in order to mine cryptocurrency. Analysts called this ransomining, which also encrypts data on the corrupted machines. Thus, attackers can then ask for a ransom.

Ad blocking – a pretext for attackers

The Monero Miner crytpocurrency ransominer managed to infect about 2,500 computers every day, in February.

To do this, hackers used the image of a legitimate mobile ad blocking software – AdShield. Thus, they disguised their malware as a Windows version of the software. Also, the malware impersonates the OpenDNS service.

So, when a user starts the program, this changes the DNS settings on the device. Thus, “all domains are resolved through the attackers’ servers,” according to SecureList. Also, they block access to certain antivirus websites, such as Malwarebytes.com.

Moreover according to the researchers, “after substituting the DNS servers, the malware starts updating itself by running update.exe”. The update also installs and runs a modified torrent client.

This sends the affected computer’s ID and the install details, to the command-and-control server (C2). Then, according to Kaspersky, it downloads the miner.

The malware encrypts files to hide better

According to the report, the modified client runs an .exe file. Its job is to obtain the parameters of the computer. This way, it helps the attackers generate “a unique set of files for each machine,” using C2. Thus, it obstructs detection.

The malware also makes sure that the miner operates without interruptions, and it creates a servicecheck_XX task, in Windows Task Scheduler. “XX are random numbers,” according to the report.

Avast detected the first Monero Miner campaign in August 2020. At that moment, the ransominer bug pretended to be an installer for Malwarebytes antivirus.

How to get rid of it

Kaspersky comes with a solution for the infected devices. Thus, users can remove the malware if they reinstall the legitimate file affected by the miner, i.e. AdShield, OpenDNS, NetshieldKit and the Transmission torrent.

Also, users should delete the folders named: C:\ProgramData\Flock, %allusersprofile%\start menu\programs\startup\flock and %allusersprofile%\start menu\programs\startup\flock2.

Still, if this pretends to be a Malwarebytes app, users should reinstall it or delete some folders if the program does not appear on the app list. These folders are: “%program files%\malwarebytes ” , “program files (x86)\malwarebytes”, “%windir%\.old\program files\malwarebytes” and “%windir%\.old\program files (x86)\malwarebytes.”

Also, users should delete the “servicecheck_XX task, which is in the Windows Task Scheduler.

Anyway, the best way to avoid the infection is for users to download only legitimate software.

Laurentiu Titei

Laurentiu, a creative content writer, has been producing articles about technology for more than 10 years. He is interested in all the security and internet news and his mainstream media background helps make them readable for all kinds of users. Moreover, he grows the appropriate social media channels for websites.

Recent Posts

Digital Advertising practices, under the pressure of fines

Its digital advertising practices continue to bring troubles for Google. Two separate cases will go to court in the UK…

2 years ago

Advertising discrimination, addressed by huge companies

WPP, Delta Airlines, Kellogg and Mindshare take the issue of advertising discrimination seriously, in order to combat bias in digital…

2 years ago

Ad fraud might hit $100B, advertising companies worry

Ad fraud has become a very big issue for both users and the advertising agencies. Different forms of it might…

3 years ago

The ad-based business model: Would Facebook change it?

The Facebook lead architect of the ad-based business model leaves the company. Let's see how her move could affect company's…

3 years ago

Here it comes: New Meta privacy policy. Does it matter?

A new Meta privacy policy comes soon for the company's platforms. Users would be notified of the updates about how…

3 years ago

Advertising company: ”Our customers don’t like ads”

As its “customers don't like ads,” Evite, an American online party planner, decided to just close its advertising business, while…

3 years ago