DealPly adware abuses Microsoft, McAfee services to evade detection

DealPly adware abuses Microsoft, McAfee services to evade detection 1

Many forms of adware are little more than a nuisance, but on occasion, an interesting sample turns up which uses novel techniques which gain the interest of researchers.

One new form of adware, known as DealPly, fits the bill. This week, enSilo researchers Adi Zeligson and Rotem Kerner said in a blog post that the malware does contain some of the typical features of adware, but goes further by being able to avoid antivirus product detection. 

DealPly generally lands on a machine through legitimate software installers bundled with adware. The sample obtained by enSilo, for example, was bundled with photo cropping software. 

When executed, the adware will also quietly install itself into the Windows %AppData% directory. DealPly also adds itself to the Windows Task Scheduler to run every hour.

Coinbase 3

Every time the task launches, the adware will contact its command-and-control (C2) server and send an encrypted request over HTTP for instructions. 

The malware is modular in nature and includes machine fingerprinting, as well as virtual machine (VM) detection techniques.

The newest DealPly variant on the scene also abuses both Microsoft and McAfee reputation services to further circumvent detection. 

The services, Microsoft SmartScreen and McAfee WebAdvisor, are free systems which are used to verify the risk of files and URLs. If a malicious domain, for example, is detected and blacklisted, these solutions will be able to warn users and potentially prevent the deployment of malware payloads. 

See also: New Mirai botnet lurks in the Tor network to stay under the radar

This, naturally, is a problem for malware developers, as their work will only have a small window before samples are blacklisted. 

“We suspect that the reason why DealPly is leveraging reputation services is to check which of its variants and download sites are compromised and won’t be effective for future infections,” the researchers say. 

DealPly will collect data and query these services through multiple servers and proxies such as the Tor network. 

In the case of Microsoft SmartScreen, DealPly will ask its C2 for hashes and URLs to query using the SmartScreen reputation server. The adware will then send a JSON request to the SmartScreen API, together with a Base64 shell authorization header to check and see if the server will respond with:

  • UNKN Unknown URL/File
  • MLWR Malware related URL/File
  • PHSH Phishing related URL/File

CNET: Feinstein’s new bill seeks to prevent another Cambridge Analytica

The data harvest is then forwarded to the malware’s C2 to ascertain if DealPly samples have been blacklisted. 

“It is important to note that the SmartScreen API is undocumented,” enSilo notes. “This means the author has put a lot of effort in reverse-engineering the inner workings of the SmartScreen mechanism\feature.”

Newer versions of the McAfee WebAdvisor, too, are also being abused. DealPly will first check and see what version of the software is in use, and if abuse conditions are met, queries are sent to the reputation service. 

The query contains a parameter called “op” that is calculated with values siphoned from a WebAdvisor registry key and are believed to be used for authentication purposes. The service will then answer the query with either “red,” “yellow,” or “default” values, depending on whether or not the reputation checker deems the query content to be malicious, risky, or acceptable.

TechRepublic: How to use a Yubikey on Linux with an encrypted drive

“By constantly querying reputation services they are able to automatically assess their AV detection rate and generate new samples when needed,” the researchers say. “This technique enables DealPly to always stay ahead of security solutions. This technique was initially observed when analyzing DealPly adware, yet we believe that it is only a matter of time before advanced malware operations will follow the trend.”

In related news this week, researchers from Proofpoint revealed a new form of malware, dubbed SystemBC, creates a SOCKS5 proxy server to bypass local firewalls, circumvent Internet content filters, and to connect to C2s while also disguising its IP address.

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0


DealPly adware abuses Microsoft, McAfee services to evade detection 2
About the author

E-Crypto News was developed to assist all cryptocurrency investors in developing profitable cryptocurrency portfolios through the provision of timely and much-needed information. Investments in cryptocurrency require a level of detail, sensitivity, and accuracy that isn’t required in any other market and as such, we’ve developed our databases to help fill in information gaps.

Related Posts

E-Crypto News Executive Interviews



bitcoin
Bitcoin (BTC) $ 48,097.00
ethereum
Ethereum (ETH) $ 3,620.46
cardano
Cardano (ADA) $ 2.46
tether
Tether (USDT) $ 1.01
binance-coin
Binance Coin (BNB) $ 426.93
xrp
XRP (XRP) $ 1.11
solana
Solana (SOL) $ 156.11
polkadot
Polkadot (DOT) $ 35.14
dogecoin
Dogecoin (DOGE) $ 0.241736
usd-coin
USD Coin (USDC) $ 1.00
USD
EUR
GBP
bitcoinBitcoin (BTC)
$ 48,097.00
ethereumEthereum (ETH)
$ 3,620.46
tetherTether (USDT)
$ 1.01
bitcoin-cashBitcoin Cash (BCH)
$ 638.19
litecoinLitecoin (LTC)
$ 190.25
bitcoinBitcoin (BTC)
40.678,28
ethereumEthereum (ETH)
3.062,02
tetherTether (USDT)
0,854213
bitcoin-cashBitcoin Cash (BCH)
539,75
litecoinLitecoin (LTC)
160,90
bitcoinBitcoin (BTC)
34,667.12
ethereumEthereum (ETH)
2,609.54
tetherTether (USDT)
0.727983
bitcoin-cashBitcoin Cash (BCH)
459.99
litecoinLitecoin (LTC)
137.13

Automated trading with HaasBot Crypto Trading Bots

Crypto Scams

Crypto Scams
Crypto Scams Still Persistent In 2021, SEC Warns About Red Flags To Watch
September 9, 2021
Poly Network
Here’s How Hackers Stole Over $600 million in the Poly Network Attack
August 12, 2021
The World’s Most Infamous Crypto Hacks and Scams
July 31, 2021
Cryptocurrency Exchanges
Cryptocurrency Exchanges and the Plague of Scams and Bans
June 29, 2021
What Role Do Cryptocurrencies Play In The Era Of Ransomware Attacks?
June 9, 2021

Blockchain/Cryptocurrency Questions and Answers

Beginner’s Guide to Investing in Cryptocurrency
August 9, 2021
Short-Sell Cryptocurrency
How to Short-Sell Cryptocurrency: A Brief Overview
July 17, 2021
Klaytn
What Is Klaytn (KLAY) And How Does It Work?
July 16, 2021
Cryptocurrencies
Our Crypto Roundup Interview Asks- Do Cryptocurrencies Have a Future?
July 15, 2021
Solana
What Is Solana (SOL) And How Does It Work?
June 26, 2021


CryptoCurrencyUSDChange 1hChange 24hChange 7d
Bitcoin48,211 1.03 % 0.39 % 4.61 %
Ethereum3,629.0 1.07 % 3.15 % 3.78 %
Cardano2.460 0.49 % 4.33 % 0.76 %
Tether0.9986 0.03 % 0.08 % 0.23 %
Binance Coin427.82 0.91 % 1.86 % 3.33 %
XRP1.110 1.04 % 0.92 % 0.06 %
Solana155.87 0.78 % 3.97 % 17.68 %
Polkadot30.87 2.19 % 17.29 % 10.73 %
Dogecoin0.2422 0.81 % 1.55 % 5.59 %
USD Coin1.000 0.07 % 0.06 % 0.18 %

bitcoin
Bitcoin (BTC) $ 48,097.00
ethereum
Ethereum (ETH) $ 3,620.46
cardano
Cardano (ADA) $ 2.46
tether
Tether (USDT) $ 1.01
binance-coin
Binance Coin (BNB) $ 426.93
xrp
XRP (XRP) $ 1.11
solana
Solana (SOL) $ 156.11
polkadot
Polkadot (DOT) $ 35.14
dogecoin
Dogecoin (DOGE) $ 0.241736
usd-coin
USD Coin (USDC) $ 1.00