Python-Based Adware Evolves to Install Malicious Browser Extensions
Security researchers have been warning of a few newly detected variants of python-based adware that are being distributed in the wild not only to inject ads but also found installing malicious browser extensions and hidden cryptocurrency miner into victims’ computers.
Dubbed PBot, or PythonBot, the adware was first uncovered more than a year ago, but since then the malware has evolved, as its authors have been trying different money-making schemes to profit themselves, according to researchers at Kaspersky Labs.
The previous versions of the PBot malware were designed to perform man-in-the-browser (MITB) attacks to inject unwanted advertising scripts on web pages visited by the victim, but the newer variants have been found installing malicious ad extensions in the web browser.
“Developers are constantly releasing new versions of this modification, each of which complicates the script obfuscation,” Kaspersky researchers said in their blog post published today.
“Another distinctive feature of this PBot variation is the presence of a module that updates scripts and downloads fresh browser extensions.”
The malware is usually distributed through pop-up advertisements on partner sites, which redirect users to the PBot download page, disguised as legitimate software.
Clicking anywhere on the download page eventually drops an “update.hta” file on the victim’s system, which if opened, downloads the original PBot installer from a remote command-and-control server.
Also Read: Learn Python Online — From Scratch to Penetration Testing
During installation, the malware drops a folder with the Python 3 interpreter, some Python scripts, and a browser extension on the targeted system. After that, it uses Windows Task Scheduler to execute python scripts when the user signs into the system.
PBot consists of “several Python scripts executed in sequence. In the latest versions of the program, they are obfuscated using Pyminifier,” the researchers say.
If PBot finds any targeted web browsers (Chrome/Opera) installed on the victim’s system, it uses “brplugin.py” script to generate DLL file and then injects it into the launched browser and install the ad extension.
“The browser extension installed by PBot typically adds various banners to the page, and redirects the user to advertising sites,” the researchers explain.
Although the malware has not been distributed across the globe, it has an alarming number of victims, the majority of which resides in Russia, Ukraine, and Kazakhstan.
“Throughout April, we registered more than 50,000 attempts to install PBot on computers of users of Kaspersky Lab products. The following month this number increased, indicating that this adware is on the rise,” the researchers say.
The best way to protect yourself from avoiding falling victims to such attacks is always to be vigilant while surfing the Internet, and always keep a good antivirus software installed on your computer that can detect and block such threats.
Last but not the least, always download apps from trusted sources, like Google Play Store, and stick to verified developers, and do not forget to keep both your devices and software up-to-date.