Malware Analysis PCTonics Scareware PUP campaign

  • Thread starter Deleted member 65228
  • Start date
D

Deleted member 65228

Thread author
Hello all.

Time to expose a scare-ware / spam campaign.

wKQjL7.jpg

The image in the above spoiler is a fake Anti-Virus scan report displayed on a fake website which is infringing on Microsoft trademarks and trying to disguise as Microsoft - it's guaranteed that there will be poor individuals out there who would have fell for that, which is a shame. At first glance you'll notice "Application: Reimage" therefore it is possible this was originally intended to be used as an affiliate attempt for Reimage Repair, however the campaign will not actually direct you to anything from Reimage Repair.

The document comes packed with JavaScript and after inspection of the JavaScript source code you can actually see that the redirection URL is hard-coded, so it isn't taken from another external source to allow the campaign to be a bit more flexible. Below is a snippet of JavaScript taken directly from the campaign and a quick explanation of how the redirection is performed.

Code:
var link_redirect = "hxxp://trktrk044.com/click";

if (window.history && window.history.pushState) {
    window.onpopstate = function () {
        var hashLocation = location.hash;
        var hashSplit = hashLocation.split("#!/");
        var hashName = hashSplit[1];
        if (hashName !== '') {
            var hash = window.location.hash;
            if (hash === '') {
                // alert('Back button was pressed.');
                window.onbeforeunload = null;
                window.location=link_redirect;
                return false;
            }
        }
    };
    window.history.pushState('forward', null, '#forward');
}

L7se65.jpg

The URL has been censored in the spoiler image however the link was not censored as much in the code-snippet, I replaced "http" with "hxxp" which is a standard thing to do.

The snippet above works by changing the window's location property to another URL which the campaign wants to redirect to; this action is performed when the user initiates the fake scan checkup on the campaign website and decides to proceed by clicking the button in blue to fix the non-existent problems.

Let's take a quick look shall we.

XxU1ef.jpg

The image in the spoiler above does have the sub-domain of the URL censored for obvious reasons however the source which redirects you to this extension of the campaign has a less-censored link in the previous images as already mentioned regarding "http" and "hxxp".

We can straight up see that this campaign claims that your system is 'infected with Malware, running slow, giving you errors' and that you 'need to fix these problems'. The campaign continues on by stating that 'WinTonic is the only solution of its kind to all these problems. This software eliminates the need to take your pc to local technicians and spend extra money to get rid of these problems'.


aXjuc6.jpg



Currently the download source is: hxxps://bgtc.pctonics.com/pctn/wtc/builds/apst/1009/wintonic.exe

On that note, you should notice how HTTPS is being used for this campaign and the usage of the VeriSign secured banner from Symantec (Norton) to help persuade innocent visitors into believing into it. This is a common tactic which has been applied since forever.

Thanks for reading as always.
 
Last edited by a moderator:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top