Threat Research

AdsExhaust, a Newly Discovered Adware MasqueradingOculus Installer

Esentire

Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.

We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware.

Our Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced Threat Analytics driven by our Threat Response Unit – the TRU team.

In TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We outline how we responded to the confirmed threat and what recommendations we have going forward.

Here’s the latest from our TRU Team…

What did we find?

In June 2024, the eSentire Threat Response Unit (TRU) identified adware, which we have dubbed AdsExhaust, being distributed through a fake Oculus installer application. The adware is capable of exfiltrating screenshots from infected devices and interacting with browsers using simulated keystrokes.

These functionalities allow it to automatically click through advertisements or redirect the browser to specific URLs, generating revenue for the adware operators.

The infection began when the user performed a web search for the Oculus application and visited the malicious page serving the adware. Upon clicking “Download Now,” the user will receive a ZIP archive containing the batch script named “oculus-app.EXE” (MD5: f089c37110f17041640910b0d49bfc5a).

The batch script is responsible for the following:

  • Retrieving an additional batch script called “backup.bat” (MD5: 6cba1871dcf173af8c031a543b4ac561) from the C2 server
  • Creating the “backup.bat” batch file that contains the command to retrieve the “update.bat” (MD5: ef2666d085fc1d8897b58935637c308e) batch file.
  • Creating three tasks to run the batch files at different times.
  • Starts the download of the legitimate Oculus application from the browser at hxxp://us5.co/downloading[.]php?dl=oculus&id=%COMPUTERNAME%_%USERNAME%” (where %COMPUTERNAME% contains the computer name of the host and %USERNAME% contains the username of the host)
Figure 1: Initial Infection Chain

The backup.bat file is responsible for dropping additional scripts, such as VBS (Visual Basic Script) and PowerShell, to the host and creating more scheduled tasks for persistence (Figure 2). The files are dropped under the “AppDataLocalwespmail” path.

Figure 2: Scheduled tasks created

The scheduled tasks eventually lead to the execution of the PowerShell script (Figure 3). The PowerShell script runs in a continuous loop for 9 minutes while performing the following tasks:

  • Attempts to retrieve IP information such as IP address, city, region, and country from ipinfo[.]io. If the request fails, it initializes these values as empty strings.
  • Captures a screenshot of the host and saves it as a JPEG image in the temp directory.
  • Checks for changes in a specific log file at “$env:LOCALAPPDATAwespmail9.log”. If there are changes, it encodes the new content in base64 and updates a counter (length of the log file) in another file named “4”. The log file contains information on the PowerShell transcript, such as start time, username, process ID, etc.
  • Gathers basic system information like the operating system name, machine name, and username.
  • Constructs a JSON payload with the collected data, including the base64-encoded screenshot, log changes, system information, and file metadata (name, length and last write time of the file) from “wespmail” directory.
  • Attempts to send the JSON data to hxxp://us11[.]org/in.php.
  • Manages the response and updates another file named “7” based on the response from the C2 server.
  • Deletes the screenshot in the temp directory and sleeps for 15 seconds before repeating.
  • Checks if the string “MxC=” is found in the response from C2 server, if found the script extracts the substring starting just after “MxC=”, base64 encodes it and saves it under “7” file.
Figure 3: Snippet of the PowerShell script containing the JSON data sent to the C2 server (comments are added for clarity)

AdsExhaust Main Payload

The response from the server contains the main PowerShell payload which is AdsExhaust adware. The AdsExhaust creates a mutex “Globaledgeuniqueprocess” to ensure that only one instance is running. It then checks if the Microsoft Edge browser is running and determines the last time a user input occurred.

If Edge is running and the system is idle and exceeds 9 minutes, the script can inject clicks, open new tabs, and navigate to URLs embedded in the script (Figure 4). It then randomly scrolls up and down the opened page.

This might be intended to trigger elements such as ads. AdsExhaust performs random clicks within specific coordinates on the screen. This could be done to target specific advertising areas.

Figure 4: Snippet of the URLs embedded in the script

If the adware detects mouse movement or user interaction, it closes the opened browser. It’s also worth noting that the adware captures a screenshot of the device and creates an overlay (Figure 5) to hide its activities and deceive the user about the system’s real state.

Figure 5: Snippet that takes the screenshot and creates an overlay

If the Edge browser is already running, the adware searches for the word “Sponsored” in the currently opened tab and attempts to interact with it, simulating user interactions to fraudulently increase ad revenue through artificial clicks on sponsored ads.

The adware makes a web request to hxxp://us99[.]org/keywords.txt to fetch a list of keywords (the server appeared to be offline when writing this article). If the keyword is successfully retrieved, the adware launches Microsoft Edge, directing it to perform a Google search on the selected keyword via the following command:

  • Start-Process “msedge” “hxxps://www.google[.]com/search?q=$encodedKeyword”

AdsExhaust is an adware threat that cleverly manipulates user interactions and hides its activities to generate unauthorized revenue. It contains multiple techniques, such as retrieving malicious code from the C2 server, simulating keystrokes, capturing screenshots, and creating overlays to remain undetected while engaging in harmful activities.

What did we do?

Our team of 24/7 SOC Cyber Analysts isolated the affected host and notified the customer of suspicious activities.

What can you learn from this TRU Positive?

  • The initial infection vector through a seemingly legitimate download highlights the need for vigilance when downloading software, especially from unofficial or suspicious websites.
  • The article emphasizes the need for continuous user education about the risks of unsolicited downloads and the importance of verifying the authenticity of the source before downloading any files.
  • Understand the nature of adware attacks that not only perform simple ad clicks but also engage in activities like data exfiltration, system monitoring, and complex interaction with web browsers to mimic human behavior.

Recommendations from our Threat Response Unit (TRU):

We recommend implementing the following controls to help secure your organization against AdsExhaust:

Indicators of Compromise

You can access Indicators of Compromise here.

Source: Original Post

Tags: BACKUP, PERSISTENCE, LEARN, BREACH, SOC, BROWSER, PAYLOAD, EXFILTRATION