Deceptive ads continue to represent the primary distribution vector for the vast majority of Potentially Unwanted Applications (PUAs) that we track. Primarily relying on ‘visual social engineering’ tactics, gullible end users fall victims to these privacy-violating applications, largely due to the fact that they instantaneously agree to the terms in the End User’s Agreement presented to them.
We’ve recently spotted yet another variant of the InstallBrain family of Potentially Unwanted Applications (PUA’s), tricking users into installing a bogus PC performance boosting application. Let’s assess this campaign and provide actionable intelligence on the domains/IPs and related privacy-violating MD5s known to have shared the same infrastructure as the initial PUA profiled in this post.
Sample screenshot of the landing page:
Sample detection rate for PurpleTech Software Inc’s PC Performer:
MD5: f85a9d94027c2d44f33c153b22a86473 – detected by 10 out of 50 antivirus scanners as PUA.InstallBrain!
Once executed, the sample phones back to:
hxxp://inststats-1582571262.us-east-1.elb.amazonaws.com – 220.127.116.11
hxxp://api.ibario.com – 18.104.22.168
Domain name reconnaissance:
api.ibario.com – 22.214.171.124; 126.96.36.199; 188.8.131.52; 184.108.40.206; 220.127.116.11
thepcperformer.com – 18.104.22.168; 22.214.171.124; 126.96.36.199; 188.8.131.52
Certificate Serial Number: 043990240F90A4
Known to have responded to the same C&C server (184.108.40.206) are also the following MD5s:
Known to have phoned back to the same IP (220.127.116.11) are also the following MD5s:
Webroot SecureAnywhere users are proactively protected from these threats.