the last week, a fake ad began to appear in Google search results, disguised as…
Infecting the victim’s machine begins with the use of the Installer module, which will install and configure a malicious browser extension, as well as ensure a constant presence in the system by creating a scheduled task (malware will pretend to be Windows Update).
Read also: Following Chrome, Firefox will mark all HTTP-pages as “unsafe”
Next, another framework module, Finder, will start collecting cookies and credentials on the infected system, sending them to its operators in the format of ZIP archives. Additionally, this module will communicate with the secondary management server, which transmits malware commands and reports with what frequency it is necessary to collect and steal data from infected systems.
The third module, Patcher, was used in an earlier version of the framework for installing a malicious extension, but in recent versions, it was already included in the Installer module.
After successful browser compromise, extension will immediately begin to work, embedding advertising on sites and generate traffic that is hidden for the user (for example, it will “watch” Twitch streams in the background or like videos on YouTube).
“Basically, the framework code is related to advertising fraud and includes scripts that search for and replace advertising-related code on web pages, but the framework also contains code to track information about clicks and transfer other data to management servers”, – experts write.
Interestingly, introduction of advertising does not occur on all sites that the victim visits. It means that malware has extensive “black lists”, which include Google domains, various Russian resources and porn sites.
News-bpudepi.today is a domain that tries to trick you into subscribing to its browser notifications…
Doguhtam.xyz is a site that tries to trick you into subscribing to its browser notifications…
News-xlixoti.com is a site that tries to force you into subscribing to its browser notifications…
Ducesousightion.com is a domain that tries to trick you into clik to its browser notifications…
News-xlabica.live is a domain that tries to trick you into clik to its browser notifications…
Mergechain.co.in is a site that tries to trick you into subscribing to its browser notifications…