Reading Time: ~ 2 min.

Rogue vendors of Potentially Unwanted Applications (PUAs) continue tricking tens of thousands of gullible users into installing deceptive and privacy violating applications. Largely relying on ‘visual social engineering’ tactics and basic branding concepts, the majority of campaigns convincingly present users with legitimately looking ToS (Terms of Service)/EULA (End User License Agreements) which socially engineered users accept, thereby assuming the responsibility for the potential privacy-violating activities taking place on their host.

We’ve recently spotted yet another PUA campaign, relying on deceptive “Download Now” types of ads, enticing users into downloading the bogus GetMyFiles (Adware.Linkular) application, as well as the rogue SpeedUpMyPC (Win32.SpeedUpMyPC.A) PUA. Let’s profile the campaign, and provide actionable intelligence on the infrastructure behind it.

More details:

Sample screenshot of Adware.Linkular download page:

W32.Linkular_W32.SpeedUpMy_PUA_Potentially_Unwanted_Application

Sample screenshot of Win32.SpeedUpMyPC.A download page:

W32.Linkular_W32.SpeedUpMy_PUA_Potentially_Unwanted_Application_01

Sample redirection chain:
hxxp://ad.propellerads.com/ck.php?oaparams=2__bannerid=91608__zoneid=605__OXLCA=1__cb=__oadest=http%3A%2F%2Fwww.getmyfilesnow.info%2F%3Fpid%3D887%26context%3D%24{SUBID} -> hxxp://www.getmyfilesnow.info/?pid=887&context=4912867270

Domain name reconnaissance:
getmyfilesnow.info – 54.208.165.36
getmyfilesnow.com – 174.142.147.2
coollinks.us – 174.142.147.5
linkular.com – 208.109.216.125

Detection rate for the PUA:
MD5: 0d60941d1ec284cab2e861e05df89511 – detected by 6 out of 51 antivirus scanners as Adware.Linkular

Known to have responded to 54.208.165.36, are also the following PUA samples:
MD5: e3d7a5dda69a83a4dbffb195fe41e68f
MD5: 3f9e510e2ebe20141dbb8b61ea15e21b
MD5: 9a4dd0724d8d241d748c6b2d4658a996
MD5: 567545c3947667913853ab34bdf38e3b
MD5: 83d21d9a6a1df8a4b4beb6190dbe8266
MD5: a08a35a241b0c7aa6ed7dda7ae8bab1e
MD5: 07aae60ce06590a3b8a4e86d0b94335a
MD5: 9ab73e226bfd9393b13423490d3ed77d
MD5: 75ec259b97e67f1174820beee4cafa29

Once executed, the sample phones back to:
hxxp://107.23.152.80/api/software/?s=887&os=win32&output=1&v=2.2.2&l=1033&np=0&osv=5.1&b=ie&bv=8.0.6001.18702&c=12&cv=2.2.2.1768

Known to have been downloaded from the same IP (107.23.152.80) are also the following PUAs:
MD5: a3f2dca9cf2fbf0b6221db476b9d889c
MD5: 8f021a07e83f2b455aad969268fbcba7
MD5: 57d1a9c5de77ac85e79ad675df7753dc

Compete Inc’s Certificate Serial ID: 4A 4A CA E0 72 F8 06 5D 9C 03 E2 A2 24 09 75 B0
AdvanceMark’s Certificate Serial ID: 52 32 D1 95 19 B6 63 90 12 01 63 65 2B E1 E8 9E
Linkular LLC, 2012’s Certificate Serial ID: 27 C7 0F 80 92 79 A3

Responding to 107.23.152.80 is also the rogue mspowerpack.com, which redirects to hxxp://www.uniblue.com/cm/foxlingo/speedupmypc/banner1/download (Win32.SpeedUpMyPC.A).

Known to have been downloaded from the same IP (107.23.152.80) are also the following PUAs:
MD5: a3f2dca9cf2fbf0b6221db476b9d889c
MD5: 8f021a07e83f2b455aad969268fbcba7
MD5: 57d1a9c5de77ac85e79ad675df7753dc

Sample detection rate for the Win32.SpeedUpMyPC.A PUA:
MD5: 0a8ecb11e39db5647dcad9f0cc938c99 – detected by 3 out of 51 antivirus scanners as PUP.Optional.SpeedUpMyPC

Known to have been downloaded from uniblue.com (176.34.125.17; 46.137.104.179; 50.19.240.60; 54.217.212.162; 54.246.105.117) are also the following PUAs:
MD5: 178e9cf3c95c0867104f14310bec10cf
MD5: 573a55f36b0ff521ac5012a7ae935a04
MD5: 3ee4e5cc4ee74b45fbbba507181efaeb
MD5: 563750b3b4a7f00115c83708a7e95d39
MD5: a59e9a0ce57365bbef2042f52d622539
MD5: abc3534ef2b1086330151ef42423d208
MD5: d41ea1f04ef610566b0ad4750b2040e7

Uniblue Systems’s Certificate Serial ID: 38 B5 E3 0A ED 74 F6 CD 05 D8 F2 0F 18 E8 91 E2

Webroot SecureAnywhere users are proactively protected from these PUAs.

Blog Staff

About the Author

Blog Staff

The Webroot blog offers expert insights and analysis into the latest cybersecurity trends. Whether you’re a home or business user, we’re dedicated to giving you the awareness and knowledge needed to stay ahead of today’s cyber threats.

Share This