Fake Windows Ad Blocker Changes DNS and Mines Monero
Experts from Kaspersky Lab have analyzed a current malware campaign targeting users’ computers to hijack their resources for cryptocurrency mining. This Windows malware is distributed under the guise of legitimate applications and primarily targets users in countries of the former CIS.
How the Malware Spreads
During the ongoing campaign, several programs have been identified whose names are borrowed by attackers for disguise—these include ad blockers like AdShield and Netshield, as well as the OpenDNS service. The malicious fakes are distributed through specially created websites, which users can reach via links in search engine results. Researchers believe these attacks are a continuation of a summer campaign previously discovered by Avast.
Malware Behavior and Operation
The malware behaves the same way in all cases. When launched, it changes the DNS settings, redirecting requests to the attackers’ own name servers. This allows them to monitor and block access to cybersecurity company websites. Afterward, the malware connects to a command-and-control (C2) server, sends data about the infected system, and checks for updates by running updater.exe.
Once updated, the malware downloads and launches a modified Transmission torrent client from a fake website. This client notifies the operators of a successful installation and downloads a mining module—a set of files unique to each infected machine.
Cryptomining and Persistence
The decrypted payload launches the XMRig cryptocurrency miner, disguised as the legitimate utility find.exe. To ensure the miner keeps running, a special task is created in the Windows Task Scheduler.
Scale of the Attack
Since early February, Kaspersky’s security solutions have registered over 7,000 unique attempts to install these fake applications as part of the current campaign. On peak days, attackers carried out more than 2,500 such attacks, mainly in Russia and other countries of the former CIS.