A multi-purpose fake online scanner
Credit to Author: Pieter Arntz| Date: Tue, 07 Mar 2017 16:00:14 +0000
Just to show you that behind some PUPs there are threat actors that are too lazy to be bothered, we offer you a fake online scanner that was used to promote the infamous MacKeeper and a Windows system optimizer called Advance-System-Care.
Windows
The redirect scheme on a Windows machine looked like this.
From a compromised website we were re-directed to systemcheck[.]club where we got this popup:
Clicking “OK” offered to start an online scan –
-which claimed to find a HIGH risk virus:
Thankfully these helpful people knew just the tool to remove this virus from our PC and brought us to www[.]advancepctools[.]info:
Here we installed Advance-System-Care which did not find the virus, but nevertheless had some very important tips on how to improve the system’s performance.
Pro tip: that phone number will not work as there is a format error in it.
That Advance-System-Care did not find the alleged virus is not surprising as Tapsnake is an Android infection that doesn’t work on Windows machines.
One other thing that did puzzle me, was that I also got this prompt while visiting the systemcheck[.]club site:
A Windows Internet Explorer prompt letting me know that: “VIRUS FOUND. It is necessary repair your Mac. Please do not leave the page. Click OK to begin the repair process.”
But when I showed this to our Mac researchers they had a very plausible explanation for this. Exactly the same fake scan is used to push MacKeeper on Mac systems.
Mac
My colleague @thomasareed recorded the proceedings on a Mac system, leading to the install of MacKeeper:
As you can see the scan and the scan-results are exactly the same. Only MacKeeper is consistent by finding the same threat (Tapsnake) on the system.
Conclusion
Although this setup seems to be designed for Mac users, it must have been considered a waste to not do anything with the Windows users that got sucked in. So a redirect was designed to provide a PUP system optimizer for these users.
Detection and protection
The site hosting the fake scanner and all the next steps in the redirection chain are blocked by Malwarebytes Premium Web Protection module.
The installer for Advance-System-Care is detected as PUP.Optional.AdvanceSystemCare
SHA256: 164cb18150d242e88de70b9f0e35478ab9aab88e0b723472dfdc278f6ea025da
Malwarebytes removes Advance-System-Care completely. A removal guide for Advance-System-Care can be found on our forums.
Special thanks to @thomasareed for sharing his research on the Mac side and @MysteryFCM for pointing out the URL.
Pieter Arntz
The post A multi-purpose fake online scanner appeared first on Malwarebytes Labs.