Two versions of PBot used by Malware authors, the infection starts with injecting a malicious DLL into the browser. The first version injects JS scripts to display ads on web pages.
Also, attackers frequently updating the new versions with some new modification with the script to make the obfustication complicated. Also, the latest version of PBot has an ability to update the scripts and downloads fresh browser extensions.
Last April month alone PBot tried to attempt to install more than 50,000 users system and it keeps increasing the following months and targeting various countries such as Russia, Ukraine, and Kazakhstan.
PBot Distribution Process
PBot distributed through Partnered websites that where site owners implement the scripts to redirect users to sponsored links.
Once users Visit the partner site, they can see the page which will pop the new window when user click anywhere in the page and it opens the opens an intermediate link.
This link will redirect users to download the PBot download page and it performs a task to download the adware and running the targeting victims machine and later it HTA file.
According to Kaspersky, PBot consist of several Python scripts and it execute the file in following way:
The source file *.hta downloads an executable file, which is the NSIS installer of PBot, to %AppData%.
The installer drops a folder with the Python 3 interpreter, Python scripts, and a browser extension into %AppData%.
Using the subprocess library, the ml.py script adds two tasks to Windows Task Scheduler. The first is tasked with executing ml.py when the user signs into the system, while the second runs app.py daily at 5:00. In addition, the winreg library is used to write the app.py script to the autoloader.
Later in launchall.py launch.py script runs app.py file which is responsible for the update of PBot scripts which will download the new browser extensions.
Finally, DLL is injected into the launched browser and installs the ad extension which leads to adding a various banner to the page and redirects the user to advertising sites.