Advanis tech support screenlocker

Credit to Author: Pieter Arntz| Date: Fri, 24 Mar 2017 15:00:05 +0000

Recently we noticed a change on one of the domains that we monitor because they are known to host files related to tech support scams and involved in browlocks, fake alerts, and screenlockers.

The domain and the screenlocker

At the moment the installer is being pushed by InstallCapital which is a pay-per-install network .

The domain hosting the installer is called installreports[dot]com and this time we found it was hosting a tech support screenlocker we dubbed Advanis after the folder it creates in the Windows directory and the entry it creates in the list of installed programs and features.

MT is the name of the main executable. The one that shows the screenlocker. Here it is probably short for “Market Tools”, which is the name of the Windows form.

Resolution

@TheWack0lian found this code snippet –

–telling us that the screenlocker could be minimized by using the “Backspace” key. Once you have done that, removal is no problem. A full removal guide for Advanis can be found on our forums.

File details

SHA 256 of the installer 30a32cb629d2a576288b4536d241b6e90f0540c3275288bfd4982233e12d182f

Malwarebytes web protection module blocks the domain and detects the installer as Trojan.TechSupportScam.

The advertised number on the lockscreen leads back to the domain getfixpc[dot]net.

Attribution

Finding out who is behind a threat is not always easy, but we think we have a solid case for this one.

Meet Baskar K.

He registered the domain installreports[dot]com with the email address: brgs@outlook.in.

Using his own name and providing his phone number and physical address.

The same personal data was used to register brmediahub.com

That domain is listed as the homepage at the stackoverflow profile I posted a screenshot of.

For the same physical address we also found an email address baskark****@outlook.com that has been used to register a host of dubious domains:

  • latestnewsalert.us
  • pruet.us
  • homemaderecipes.us
  • biou.us
  • mijay.us
  • unlimitedgames.us
  • topchickenrecipes.us
  • searchweathernow.us
  • newsnowonweb.us
  • healtyrecipesbyjones.us
  • localnewsdaily.us
  • topnewsnow.us
  • mathgamesfree.us
  • loginprotector.us
  • todaynewsup.us
  • topnewsguide.us
  • womenshoppingstore.us
  • onlineloginaccounts.us
  • onlineloginaccount.us
  • downloadsnow.us
  • brglobalservices.com

Those are all blocked now by Malwarebytes Web Protection Module.

Safe surfing!

Thanks to TheWack0lian and William Tsing for their additional research.

 

Pieter Arntz

The post Advanis tech support screenlocker appeared first on Malwarebytes Labs.

https://blog.malwarebytes.com/feed/