Alert: Latest Malvertising Campaign Targets Meta Quest App Seekers
A fresh initiative is deceiving individuals seeking the Meta Quest (previously Oculus) application for Windows by luring them into installing a novel malvertising variant called AdsExhaust.
“The malvertising can glean screenshots from infected devices and interact with browsers through emulated keystrokes,” cybersecurity company eSentire stated in an examination, noting it detected the behavior earlier this month.
“These capabilities enable it to automatically navigate through ads or steer the browser to specific URLs, generating profits for the malvertising operators.”
The initial infection process involves presenting the fraudulent website (“oculus-app[.]com”) in Google search results pages using search engine optimization (SEO) manipulation methods, enticing unwary site visitors to download a ZIP package (“oculus-app.EXE.zip”) containing a Windows batch script.
The batch script is structured to retrieve a secondary batch script from a command-and-control (C2) server, which, in turn, includes an instruction to fetch another batch file. It also establishes scheduled tasks on the system to execute the batch scripts at varied intervals.
This phase is succeeded by the installation of the authentic app on the compromised machine, while concurrently additional Visual Basic Script (VBS) files and PowerShell scripts are deployed to amass IP and system details, seize screenshots, and transmit the data to a remote server (“us11[.]org/in.php”).
The reply from the server is the PowerShell-driven AdsExhaust malvertising that inspects if Microsoft’s Edge browser is active and assesses the last instance of user action.
“If Edge is active and the system is idle and surpasses 9 minutes, the script can inject clicks, open new tabs, and navigate to URLs coded in the script,” eSentire said. “It then scrolls randomly up and down the displayed page.”
It is believed that this conduct is crafted to activate elements like ads on the website, especially considering AdsExhaust executes haphazard clicks within defined positions on the display.
The malvertising is also capable of shutting down the active browser if it detects mouse movement or user engagement, forming an overlay to veil its actions from the victim, and scanning for the term “Sponsored” in the ongoing Edge browser tab to click on the advertisement with the aim of boosting ad revenue.
Moreover, it is designed to retrieve a roster of keywords from a remote server and execute Google searches for those keywords by initiating Edge browser sessions via the Start-Process PowerShell directive.
“AdsExhaust is a malvertising menace that craftily orchestrates user interactions and conceals its actions to generate illicit earnings,” the Canadian firm highlighted.
“It incorporates numerous methodologies, such as fetching malevolent code from the C2 server, simulating keystrokes, capturing screenshots, and crafting overlays to remain unseen while engaging in detrimental activities.”
The development emerges as comparable fake IT assistance websites emerge through search outcomes are being exploited to distribute Hijack Loader (aka IDAT Loader), which eventually leads to a Vidar Stealer intrusion.
What distinguishes the attack is that the threat actors are also leveraging YouTube videos to endorse the fake site and leveraging bots to post counterfeit comments, granting it an appearance of legitimacy to users seeking resolutions for tackling a Windows update glitch (error code 0x80070643).
“This underscores the efficiency of social engineering ploys and the necessity for users to exercise vigilance regarding the validity of the solutions they discover online,” eSentire explained.
The revelation also arrives following a malpsam campaign targeting Italian users with invoice-themed ZIP archive baits to deliver a Java-based remote access trojan named Adwind (aka AlienSpy, Frutas, jRAT, JSocket, Sockrat, and Unrecom).
“Upon extraction the user is presented with .HTML files like INVOICE.html or DOCUMENT.html that direct to malevolent .jar files,” Broadcom-owned Symantec verified.
“The ultimate dropped payload is Adwind remote access trojan (RAT) that bestows the attackers authority over the compromised endpoint along with confidential data compilation and exfiltration.”
About Author
