A nascent scheme is ensnaring users who seek the Meta Quest (previously Oculus) application for Windows, deceiving them into downloading a fresh adware strain named AdsExhaust.
“The adware can siphon off screenshots from compromised devices and engage with browsers via emulated keystrokes,” cybersecurity firm eSentire elucidated in an analysis, noting the identification of this activity earlier this month.
“These capabilities enable it to autonomously click through advertisements or reroute the browser to designated URLs, thereby generating revenue for the adware’s operators.”
The initial infection pathway includes the emergence of a counterfeit website (“oculus-app[.]com”) in Google search results, utilizing search engine optimization (SEO) poisoning techniques to lure unwitting visitors into downloading a ZIP file (“oculus-app.EXE.zip”) that contains a Windows batch script.
The batch script is crafted to fetch a subsequent batch script from a command-and-control (C2) server, which in turn commands the retrieval of another batch file. It also establishes scheduled tasks on the system to execute the batch scripts at varied intervals.
This is followed by the installation of the legitimate application onto the compromised host, while concurrently additional Visual Basic Script (VBS) files and PowerShell scripts are deployed to gather IP and system information, capture screenshots, and exfiltrate the data to a remote server (“us11[.]org/in.php”).
The server’s response delivers the PowerShell-based AdsExhaust adware, which checks if Microsoft’s Edge browser is running and determines the time elapsed since the last user input.
“If Edge is active and the system is idle for over 9 minutes, the script can inject clicks, open new tabs, and navigate to URLs embedded in the script,” eSentire reported. “It then randomly scrolls through the opened page.”
This behavior is presumed to trigger elements like ads on the webpage, especially since AdsExhaust performs random clicks within specific screen coordinates.
The adware is also capable of closing the opened browser if mouse movement or user interaction is detected, creating an overlay to obscure its activities from the victim, and searching for the term “Sponsored” in the currently opened Edge browser tab to click on the ad, aiming to inflate ad revenue.
Furthermore, it can retrieve a list of keywords from a remote server and perform Google searches for those keywords by launching Edge browser sessions via the Start-Process PowerShell command.
“AdsExhaust is an adware threat that deftly manipulates user interactions and conceals its activities to generate unauthorized revenue,” the Canadian company observed.
“It encompasses various techniques, including retrieving malicious code from the C2 server, emulating keystrokes, capturing screenshots, and creating overlays to remain undetected while conducting harmful activities.”
This development comes as similar bogus IT support websites surfaced in search results are being employed to distribute Hijack Loader (also known as IDAT Loader), which eventually leads to a Vidar Stealer infection.
What distinguishes the attack is the threat actors’ use of YouTube videos to promote the fake site and bots to post deceptive comments, lending an air of legitimacy to users seeking solutions for a Windows update error (error code 0x80070643).
“This underscores the effectiveness of social engineering tactics and the imperative for users to verify the authenticity of online solutions,” eSentire remarked.
The disclosure also follows a malspam campaign targeting Italian users with invoice-themed ZIP archive lures to deliver a Java-based remote access trojan named Adwind (also known as AlienSpy, Frutas, jRAT, JSocket, Sockrat, and Unrecom).
“Upon extraction, the user is presented with .HTML files such as INVOICE.html or DOCUMENT.html, leading to malicious .jar files,” Broadcom-owned Symantec reported.
“The final payload is the Adwind remote access trojan (RAT), which grants the attackers control over the compromised endpoint, as well as the ability to collect and exfiltrate confidential data.”