Pop-up Ads and Over a Hundred Sites are Helping Distribute Botnets, Cryptocurrency Miners and Ransom

LASER_oneXM

Level 37
Thread author
Verified
Top Poster
Well-known
Feb 4, 2016
2,520
The Trend Micro Cyber Safety Solutions team has been tracking a potentially unwanted app (PUA) distribution campaign that installs PUA software downloaders. During our research, we found that some of these distributors started pushing malware along with PUAs in late 2017. In this post we focus on one of the older PUA software downloaders called ICLoader (also called FusionCore and detected by Trend Micro as PUA_ICLOADER). Different reports identified it as a PUA software downloader because it installed adware or unwanted software.

Like most threats, ICLoader evolved and adapted to the current landscape. In 2017, it began pushing various botnets, cryptocurrency miners, and the new emerging GandCrab ransomware (detected by Trend Micro as RANSOM_GANDCRAB.A). Pop-up ads were used to distribute the malware on file sharing websites and over a hundred fake software sharing websites — all of which are still live (at the time of writing). The distributors of ICLoader seem to be targeting users who are actively looking for specific software since even the pop-up ads are hosted on sites that supposedly share software.

The distribution campaign

While tracking the campaign, we found three sources distributing ICLoader. As mentioned above, one distribution method involves using pop-up ads on free file sharing service websites — a known avenue for distributing unwanted applications and malware. These file sharing websites allow users to upload their file and share a download link with other people. Pop-up advertisements appear when people click the download buttons on their page.

ICLoader uses these pop-up ads as lures for installation. When users click the download button, a pop-up ad opens on a new window with malicious links that lead to the ICLoader download page.

Users are led to believe that these are real files from the sharing website. Clicking on the link installs ICLoader, which can drop malware or unwanted apps onto the victim’s device.



Figure 1. Pop-up ad on file-sharing site leads to ICLoader download page (right)

The second distribution vector is fake software sharing websites. One group has made 117 of these sites, each one sharing hundreds of cracked software. The sites list detailed descriptions of software and have ‘free download’ buttons to the cracked versions at the bottom of the page. We found that these download links all connect to servers that redirect users to download different PUA downloader software, mainly ICLoader.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top