Some time ago, we discovered a number of fake apps delivering a Monero cryptocurrency miner to user computers. They are distributed through malicious websites that may turn up in the victim’s search results. By the look of it, it appears to be a continuation of the summer campaign covered by our colleagues from Avast. Back then, cybercriminals distributed malware under the guise of the Malwarebytes antivirus installer.
In the latest campaign, we have seen several apps impersonated by the malware: the ad blockers AdShield and Netshield, as well as the OpenDNS service. This article analyzes only fake AdShield app, but all the other cases follow the same scenario.
Technical details
Distributed under the name adshield[.]pro, the malware impersonates the Windows version of the AdShield mobile ad blocker. After the user starts the program, it changes the DNS settings on the device so that all domains are resolved through the attackers’ servers, which, in turn, prevent users from accessing certain antivirus sites, such as Malwarebytes.com.
After substituting the DNS servers, the malware starts updating itself by running update.exe with the argument self-upgrade (“C:Program Files (x86)AdShieldupdater.exe” -self-upgrade). Updater.exe contacts C&C and sends data about the infected machine and information about the start of the installation. Some of the lines in the executable file, including the line with the C&C server address, are encrypted to make static detection more difficult.
Updater.exe code snippet containing the encrypted address
Updater.exe downloads from the site transmissionbt[.]org and runs a modified version of the T ..
Support the originator by clicking the read the rest link below.
