A fake ad blocking software lets attackers take over the power of computers in order to mine cryptocurrency. Analysts called this ransomining, which also encrypts data on the corrupted machines. Thus, attackers can then ask for a ransom.
The Monero Miner crytpocurrency ransominer managed to infect about 2,500 computers every day, in February.
To do this, hackers used the image of a legitimate mobile ad blocking software – AdShield. Thus, they disguised their malware as a Windows version of the software. Also, the malware impersonates the OpenDNS service.
So, when a user starts the program, this changes the DNS settings on the device. Thus, “all domains are resolved through the attackers’ servers,” according to SecureList. Also, they block access to certain antivirus websites, such as Malwarebytes.com.
Moreover according to the researchers, “after substituting the DNS servers, the malware starts updating itself by running update.exe”. The update also installs and runs a modified torrent client.
This sends the affected computer’s ID and the install details, to the command-and-control server (C2). Then, according to Kaspersky, it downloads the miner.
According to the report, the modified client runs an .exe file. Its job is to obtain the parameters of the computer. This way, it helps the attackers generate “a unique set of files for each machine,” using C2. Thus, it obstructs detection.
The malware also makes sure that the miner operates without interruptions, and it creates a servicecheck_XX task, in Windows Task Scheduler. “XX are random numbers,” according to the report.
Avast detected the first Monero Miner campaign in August 2020. At that moment, the ransominer bug pretended to be an installer for Malwarebytes antivirus.
Kaspersky comes with a solution for the infected devices. Thus, users can remove the malware if they reinstall the legitimate file affected by the miner, i.e. AdShield, OpenDNS, NetshieldKit and the Transmission torrent.
Also, users should delete the folders named: C:\ProgramData\Flock, %allusersprofile%\start menu\programs\startup\flock and %allusersprofile%\start menu\programs\startup\flock2.
Still, if this pretends to be a Malwarebytes app, users should reinstall it or delete some folders if the program does not appear on the app list. These folders are: “%program files%\malwarebytes ” , “program files (x86)\malwarebytes”, “%windir%\.old\program files\malwarebytes” and “%windir%\.old\program files (x86)\malwarebytes.”
Also, users should delete the “servicecheck_XX task, which is in the Windows Task Scheduler.
Anyway, the best way to avoid the infection is for users to download only legitimate software.
Its digital advertising practices continue to bring troubles for Google. Two separate cases will go to court in the UK…
WPP, Delta Airlines, Kellogg and Mindshare take the issue of advertising discrimination seriously, in order to combat bias in digital…
Ad fraud has become a very big issue for both users and the advertising agencies. Different forms of it might…
The Facebook lead architect of the ad-based business model leaves the company. Let's see how her move could affect company's…
A new Meta privacy policy comes soon for the company's platforms. Users would be notified of the updates about how…
As its “customers don't like ads,” Evite, an American online party planner, decided to just close its advertising business, while…