PBot  - J1Ql01530140015 - Adware Install on Browser Extension & Bypass Security System

Powerful Python based called PBot (PythonBot) went beyond the limits, it installs and runs malicious hidden miner on the ’s computer.

Two versions of PBot used by Malware authors, the infection starts with injecting a malicious DLL into the . The first version injects JS scripts to display ads on web pages.

Second version attempt to the malicious adware in the compromised victim’s browsers.

Also, attackers frequently updating the new versions with some new modification with the script to make the obfustication complicated. Also, the version of PBot has an ability to update the scripts and downloads fresh browser extensions.

Last April month alone PBot tried to attempt to install more than 50,000 users and it keeps increasing the following months and targeting various countries such as Russia, Ukraine, and Kazakhstan.

- pbot adware 02 - Adware Install on Browser Extension & Bypass Security System

PBot Distribution Process

PBot distributed through Partnered websites that where site owners implement the scripts to redirect users to sponsored links.

Once users Visit the partner site, they can see the page which will pop the new window when user click anywhere in the page and it opens the opens an intermediate link.

This link will redirect users to download the PBot download page and it performs a task to download the adware and running the targeting victims machine and later it HTA file.

- pbot adware 07 - Adware Install on Browser Extension & Bypass Security System

According to Kaspersky, PBot consist of several Python scripts and it execute the file in following way:
  • The source file *.hta downloads an executable file, which is the NSIS installer of PBot, to %AppData%.
  • The installer drops a folder with the Python 3 interpreter, Python scripts, and a browser extension into %AppData%.
  • Using the subprocess library, the ml.py script adds two tasks to Windows Task Scheduler. The first is tasked with executing ml.py when the user signs into the system, while the second runs app.py daily at 5:00. In addition, the winreg library is used to write the app.py script to the autoloader.

Later in launchall.py launch.py script runs app.py file which is responsible for the update of PBot scripts which will download the new browser extensions.

Finally, DLL is injected into the launched browser and installs the ad extension which leads to adding a various banner to the page and redirects the user to advertising sites.

IoCs:

3cd47c91d8d8ce44e50a1785455c8f7c
1aaedcf1f1ea274c7ca5f517145cb9b5
bb2fbb72ef683e648d5b2ceca0d08a93
23e7cd8ca8226fa17e72df2ce8c43586
ad03c82b952cc352b5e6d4b20075d7e1
0cb5a3d428c5db610a4565c17e3dc05e
3a6ad75eb3b8fe07c6aca8ae724a9416
184e16789caf0822cd4d63f9879a6c81

Also Read:

Top 5 Most Common Web Application Attacks That Affecting Websites

Beware: Highly Obfuscated Multi Platform Malware & Adware Spreading Through Facebook Messenger



Source link

LEAVE A REPLY

Please enter your comment!
Please enter your name here