Installation
This threat can be downloaded directly from the Internet by imitating a legitimate software download. We have seen it use the following file names:
-
BkgHC.exe
-
far-cry-3-reggae.exe
-
GDuoh.exe
-
i0fqW.exe
-
install_flashplayer12x32_mssa_aaa_aih.exe
-
lemmings-vollversion-deutsch.exe
-
ppc2.exe
-
QJSg9.exe
-
sgk-toan-lop-9.exe
-
VOMdc.exe
It can also be installed by other malware, including the Fiesta exploit kit.
The malware installs itself to %LOCALAPPDATA%\<random folder>\<random file name>.exe. For example, we have seen it installed to the following locations:
It then installs its two main payloads, a click fraud and a click hijack component.
Click fraud component
This component is installed as two dynamic-link library (.dll) files to the following %LOCALAPPDATA%\<random path>\<random name>.dll. For example, we have seen it installed to the following locations:
It also downloads another file that contains the encrypted click fraud payload. This file has the same random name as the .dll file, but with one of the following extensions:
It changes the following registry entries so that it runs each time you start your PC:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Owkqics"
With data: “%LOCALAPPDATA%\Owkqics\<MalwareFile>.exe”
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Ovsdics"
With data: “regsvr32.exe %LOCALAPPDATA%\Ovsdics\<random name>.dll”
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Atntworks"
With data: “regsvr32.exe %LOCALAPPDATA%\Owkqics\<random name>.dll”
Click hijacking component
This component is installed as a browser plugin for the Chrome and Firefox web browsers. It creates the following files:
- Mozilla Firefox extensions:
-
%APPDATA%\Roaming\Mozilla\Firefox\Profiles\e4t2dvz3.default\extensions\{05271894-B636-177D-D56A-AF64DF39A8A6}\chrome.manifest
-
%APPDATA%\Roaming\Mozilla\Firefox\Profiles\e4t2dvz3.default\extensions\{05271894-B636-177D-D56A-AF64DF39A8A6}\components\MHTMLAsynchronousPluggable.js
-
%APPDATA%\Roaming\Mozilla\Firefox\Profiles\e4t2dvz3.default\extensions\{05271894-B636-177D-D56A-AF64DF39A8A6}\install.rdf
- Google Chrome extensions:
-
%LOCALAPPDATA%
\Google\Chrome\User Data\Default\Extensions\ajpgkpeckebdhofmmjfgcjjiiejpodla\5.0.3\background.js
-
%LOCALAPPDATA%
\Google\Chrome\User Data\Default\Extensions\ajpgkpeckebdhofmmjfgcjjiiejpodla\5.0.3\content.js
-
%LOCALAPPDATA%
\Google\Chrome\User Data\Default\Extensions\ajpgkpeckebdhofmmjfgcjjiiejpodla\5.0.3\manifest.json
Payload
Uses your PC for click fraud
This threat can use your PC for click fraud. It loads two malicious dynamic-link library (.dll) files by calling %LOCALAPPDATA%\<random path>\<random name>.dll.
It connects to a remote command and control server (C&C) to receive click fraud commands. We have seen it connect to:
After receiving a click fraud commands from the C&C, the malware silently creates many Internet Explorer processes and injects malicious code into them to perform hidden click fraud.
These hidden processes can be seen in the Task Manager, as shown below:
Redirects your web browser for click hijacking
This threat can hijack your search engine results. When you search the Internet using the Chrome or Mozilla web browser the malicious plugin submits the search term to its C&C server and waits for a reply. The reply contains the redirection chain.
The threat targets specific search term key words, such as the following:
-
Books
-
Headphone
-
Insurance
-
Laptop
-
Loans
-
Pills
-
poker
-
Shoes
-
work at home
We have seen searches with these key words redirect to these legitimate websites:
These websites can change at any time.
Analysis by Duc Nguyen