14 DAY TRIAL // Users seeking pirated products are bound to get more than the free stuff they expect, as adware operators often disguise their products as cracked software copies or illegal multimedia content.
Two packages designed to infest computers with advertisements and monitor web browser activity are from the OutBrowse and MultiPlug families and they serve unwanted content from machines mostly hosted in the US.
Payload used to track traffic and share it
Security researchers at Zscaler documented the activity of the items, determining that their authors lure victims into installing them by promising access to popular TV shows or to illegal software applications on websites with pirated content.
Most of the domains used by the cybercriminals to deliver the payloads are .info TLDs (top-level domains). In the case of OutBrowse, the victim is generally directed to websites where they have to pay for different services.
“The phone home communication for OutBrowse also provides excessive information to the advertisers. This data often includes the system's MAC address, IP address, different browser versions installed, and the machine GUID,” Zscaler notes.
All of this is shared with multiple other domains for aggressive advertising purposes. However, OutBrowse is used to install other software packages too, which could impact the performance of the computer or even funnel in malware.
An avalanche of ads and software
MultiPlug was determined to be part of the same campaign and its purpose is to install other software pieces, probably as part of an affiliate marketing scheme, where the operator gets a fee for every program installation.
Researchers noticed apps like LightningDownloader, SeekerFoobar, WeatherBug, and EasyAutoRefresh being added to the compromised machine. Everything is downloaded and installed in the background, so the user is not aware of the activity.
At the same time, advertisements are also displayed, some of them pointing to tech-support numbers for malware cleaning assistance.
Telemetry data from Zscaler shows that most of the attacks are hosted in the US, only 9% of them originating from a different country.
Content that appears to be legitimate should not be trusted implicitly if it comes from a suspicious source like sites offering pirated content, says Chris Mannon of Zscaler.
