What are Free-tl pop-up notifications?

Pop-up notifications from Free-tl sites are a spam campaign that aims to earn money from pay-per-view and pay-per-click advertisements. There is an entire chain of such sites, created by the same group of cybercriminals and existing for the same purpose. Frauds who stand behind all this lure people into pressing the “Allow notifications” button that appears as soon as one enters the site. This demand may be framed as a form of captcha, DDoS protection, or the like.

List of domains involved in a scam

One particular source of the redirections to Free-tl sites is by browsing sites with illegal or explicit content. Websites that host pirated movies or games, adult sites – clicking anything on such pages may trigger the redirection to the scam site that will ask you to allow notifications. That twisted form of cooperation is what makes me warn people against using such sources of software and movies.

Interesting thing about the pop-up spam sites is that they work only after the redirection. Simple checks show that opening the scam page requires a correct link. Visiting the root domain, without the additional parameters in the URL, will return either a 404 error or a boilerplate that says the URL is for sale.

How dangerous are Free-tl pop-ups?

Once the user allows notifications from one of the Free-tl websites, it bombards them with pop-ups. These notifications appear in the system tray, offering gambling, adult sites, or trying to scare the user by saying the system is infected. Clicking on a pop-up will send the user to a website with questionable content. It is also common to see phishing pages promoted in such a way, which forms the main concern of this pop-up spam.

Another angle of the problem is the offer to install some questionable software to solve non-existent problems. You might encounter a so-called Microsoft tech support scam page or a site that pretends to scan your PC, falsely reporting that there are hundreds of malicious programs running at the moment. To make it harder for the user to quit, scammers make these sites open in a full-screen mode, so there is no visible way out. Of course, unless someone presses the Escape button.

But scams and phishing aside, the key issue with all this is the fact that constant pop-ups are extremely annoying. Because of the way Windows shows notifications, they will appear on top of any app that is currently running. It’s simply hard to concentrate on your task when you constantly hear and see banners popping up one after another. And, well, it will be quite an embarrassing moment when your boss walks by while there is a pop-up with hot girls around you on the screen.

How to remove Free-tl pop-ups?

It is possible to remove the pop-up source manually, through the browser interface. For this, go to your browser settings, find notification settings and remove all the sites that are listed as ones that can send notifications. Reload the browser to apply the changes.

Disabling browser pop-ups (scroll images)

There is also the second step – malware removal. It is possible that the Free-tl pop-ups appearance is caused by the activity of adware or browser hijackers. These two malware types often cause redirections, and may alter web browser settings to their needs. For that reason, I recommend scanning the system with GridinSoft Anti-Malware: it will clear whether there is something malicious on your device, or not. Download it, install and run a Standard scan: this will check the places where the said malware typically keeps its files.

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

The post Free-tl Pop-Up Virus appeared first on Gridinsoft Blog.

What are check-tl-version pop-up notifications?

Pop-up notifications from Check-tl-version sites are a spam campaign that aims to earn money from pay-per-view and pay-per-click advertisements. There is an entire chain of such sites, created by the same group of cybercriminals and existing for the same purpose. Frauds who stand behind all this lure people into pressing the “Allow notifications” button that appears as soon as one enters the site. This demand may be framed as a form of captcha, DDoS protection, or the like.

List of domains involved in a scam

One particular source of the redirections to check-tl-version sites is by browsing sites with illegal or explicit content. Websites that host pirated movies or games, adult sites – clicking anything on such pages may trigger the redirection to the scam site that will ask you to allow notifications. That twisted form of cooperation is what makes me warn people against using such sources of software and movies.

Interesting thing about the pop-up spam sites is that they work only after the redirection. Simple checks show that opening the scam page requires a correct link. Visiting the root domain, without the additional parameters in the URL, will return either a 404 error or a boilerplate that says the URL is for sale.

How dangerous are Check-tl-version pop-ups?

Once the user allows notifications from one of the check-tl-version websites, it starts bombarding them with pop-ups. These notifications appear in the system tray, offering gambling, adult sites, or trying to scare the user by saying the system is infected. Clicking on a pop-up will send the user to a website with some rather questionable content. It is also pretty common to see phishing pages promoting in such a way, which forms the main concern of having this pop-up spam.

Another angle of the problem is the offer to install some questionable software to solve non-existent problems. You might encounter a so-called Microsoft tech support scam page or a site that pretends to scan your PC, falsely reporting that there are hundreds of malicious programs running at the moment. To make it harder for the user to quit, scammers make these sites open in a full-screen mode, so there is no visible way out. Of course, unless someone presses the Escape button.

But scams and phishing aside, the key issue with all this is the fact that constant pop-ups are extremely annoying. Because of the way Windows shows notifications, they will appear on top of any app that is currently running. It’s simply hard to concentrate on your task when you constantly hear and see banners popping up one after another. And, well, it will be quite an embarrassing moment when your boss walks by while there is a pop-up with hot girls around you on the screen.

How to remove Check-tl-version pop-ups?

It is possible to remove the pop-up source manually, through the browser interface. For this, go to your browser settings, find notification settings and remove all the sites that are listed as ones that can send notifications. Reload the browser to apply the changes.

Disabling browser pop-ups (scroll images)

There is also the second step – malware removal. It is possible that the check-tl-version pop-ups appearance is caused by the activity of adware or browser hijackers. These two malware types often cause redirections, and may alter web browser settings to their needs. For that reason, I recommend scanning the system with GridinSoft Anti-Malware: it will clear whether there is something malicious on your device, or not. Download it, install and run a Standard scan: this will check the places where the said malware typically keeps its files.

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

The post Check-tl-ver Pop-Up Virus appeared first on Gridinsoft Blog.

Managed by your organization – what is the problem?

Managed by your organization is the line in the web browser that is displayed when the remote management policy is enabled in the browser configurations. By design, this feature aims at protecting the browsers running on the corporate workstations or industrial IoT devices from unintended changes. But, same as quite a lot of restrictive techniques, it is a double-edged sword.

As it prevents users from making changes to browser settings, this configuration is often a target of abuse from browser hijackers. In particular, such a technique is often used by browser hijackers. Such malware redirects users’ searches to a different search engine, collecting user information and potentially exposing them to phishing sites.

Once installed, browser hijackers go through either Group Policies or registry keys that belong to the browser. By setting a selection of values responsible for enabling remote management to true, they block the user’s ability to change any settings of the browser and delete/change browser extensions. This becomes especially critical when the hijacker sits inside of a malicious browser extension.

Remove Managed by your organization Guide

You may encounter several ways to solve the problem: by editing registry, disabling Group Policies through GP Editor, or else. But as actual removal attempts show, the most effect appears when you apply all the steps together. Still, some of the steps may not be viable for certain users, thus I picked only those which will work most of the time.

Group Policies Removal

First step in dealing with Managed by your organization is to remove policies that the malware changes to enable this state. This method does not require having access to Group Policies Editor, which is unavailable for non-Pro editions of Windows. All you have to do is find and remove all the folders listed below. Note: their deletion will require administrator privileges.

Windows\System32\GroupPolicy
Windows\System32\GroupPolicyUsers
ProgramFiles(x86)\Google\Policies
ProgramFiles\Google\Policies

Removing Registry Keys

Next step is going through the registry keys that may contain malicious configurations. Press the Win+R combination, and type “regedit” in the search window. This will get you to the Registry Editor; there, find and delete the keys you see below.

HKEY_LOCAL_MACHINE\Software\Policies\Google\Chrome
HKEY_LOCAL_MACHINE\Software\Policies\Google\Update
HKEY_LOCAL_MACHINE\Software\Policies\Chromium
HKEY_LOCAL_MACHINE\Software\Google\Chrome
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Google\Enrollment
HKEY_CURRENT_USER\Software\Policies\Google\Chrome
HKEY_CURRENT_USER\Software\Policies\Chromium
HKEY_CURRENT_USER\Software\Google\Chrome
"HKEY_LOCAL_MACHINE\Software\WOW6432Node\Google\Update\ClientState\{430FD4D0-B729-4F61-AA34-91526481799D}" /v "CloudManagementEnrollmentToken"

Not all keys may be present, as it depends on installed software, browser configurations, malware that did the changes and other things. Nonetheless, you should delete all the keys you can find.

Once done, reboot your computer to apply the changes. Then, you should be able to edit any of the Chrome settings and remove any browser extensions that may have previously been blocked from editing.

The post How to Remove Chrome “Managed by Your Organization” appeared first on Gridinsoft Blog.

Directing someone to a specific IP address becomes simpler when altering the HOSTS file on their machine. However, modifying this file across numerous devices is a challenging task. Consequently, attackers often target the DNS server itself, making a single change that updates the responses for all querying clients. While various methods exist to manipulate DNS servers, most involve gaining control over the server.

What Is DNS and How Do DNS Servers Function?

Let’s revisit what DNS means. The Domain Name System is a foundational internet service that facilitates the conversion of human-readable domain names into machine-understandable IP addresses. Here are some essential components related to DNS:

• IP Address (Internet Protocol): A unique string of numbers assigned to each computer and server on a network, allowing them to locate and communicate with each other.
• Domain: A memorable text name, like “www.google.com,” that corresponds to the IP address of a server, simplifying the process of connecting to websites.
• Domain Name System (DNS): This system translates domain names into IP addresses.
• DNS Servers: These include four types of servers crucial to the DNS lookup process: resolving name servers, root name servers, top-level domain (TLD) name servers, and authoritative name servers. For simplicity, let’s discuss the resolver name server.
• Resolver Name Server: Operating within your system, this server begins the translation process by querying other servers to find the IP address associated with a domain name.

The DNS Lookup Process

When you enter a website’s domain name, the following process unfolds:

1. Your web browser and operating system (OS) first attempt to retrieve the domain’s IP address from the computer’s internal memory or cache, if previously visited.
2. If the cache doesn’t contain the IP address, the OS reaches out to a resolver name server.
3. This resolver then searches through a chain of servers to locate and return the correct IP address to your OS, which relays it to your web browser.

The DNS lookup process is a critical infrastructure component across the internet. However, vulnerabilities in DNS can expose users to security risks, such as malicious redirects, underscoring the importance of awareness and preventive measures.

What is DNS Hijacking?

DNS hijacking, also known as DNS redirection, is a broad term that describes any attack where a perpetrator manipulates an end user’s device into connecting with a fraudulent domain or IP address, under the guise of a legitimate domain. This type of attack can deceive users into thinking they are interacting with a legitimate site when they are not.

There are numerous methods of DNS hijacking, and not all are unlawful. A common legal example is seen with pay-per-use WiFi portals. These services intercept DNS requests before the user has paid for access. Regardless of the user’s settings, all requests direct to a payment server page where the user can purchase WiFi access.

Another prevalent method involves altering the DNS settings on a client’s device. An attacker may change the settings so that the device uses a DNS server under their control instead of a legitimate service like 8.8.8.8. When a user attempts to access a secure site such as their online banking website, the rogue DNS server may redirect them to a fake website. This site acts as a proxy to capture all transmitted data. This technique was famously used by the DNSChanger trojan/malware, which, while now rare, was once a significant threat.

Other hijacking tactics include exploiting vulnerabilities within DNS server software, manipulating DNS registration systems, or utilizing visually deceptive domain names (homograph attacks). One early example of phishing employed a domain named paypaI.com where the letter ‘I’ was capitalized to mimic a lowercase ‘L’, misleading users into thinking it was the legitimate PayPal.com. With DNS now supporting international characters, these attacks have become even more sophisticated and harder to detect.

What is DNS Spoofing

DNS spoofing also refers to any attack that tries to change the DNS records returned to the requester to a response chosen by the attacker. This can include some techniques such as using cache poisoning or some type of man-in-the-middle attack. We sometimes use the terms “DNS hijacking” and “DNS spoofing” as synonyms. This method is also widely used by paid Wi-Fi access points in airports and hotels. In some cases, network security groups can use it as a quarantine tool to isolate an infected device.

Difference Between DNS Spoofing and DNS Hijacking

Although DNS spoofing is often confused with DNS hijacking because both occur at the local system level, they are two different types of attacks. In most cases, DNS spoofing or cache poisoning simply involves overwriting the local DNS cache values with fake ones to redirect the victim to a malicious website. On the other hand, DNS hijacking (also known as DNS redirection) often involves malware infection to hijack this critical system service. In this case, malware hosted on the local computer can change the TCP/IP configuration to point to a malicious DNS server, eventually redirecting traffic to the phishing website.

Conclusion

As you can see, DNS is critical to the day-to-day operation of websites and online services. Unfortunately, attackers may see it as an attractive opportunity to attack your networks. This is why monitoring your DNS servers and traffic is crucial. We must be careful where we go on the Internet and what emails we open. Even the slightest difference, for example, the absence of an SSL certificate, is a signal to check the website you want to visit.

The post DNS Spoofing vs DNS Hijacking appeared first on Gridinsoft Blog.

Chromstera Browser Overview

Chromstera Browser is potentially unwanted software positioned as an alternative web browser. It is built on the Chromium engine but lacks the links required for the Chromium core. Once installed, it floods the user with excessive amounts of promotions. It also changes the homepage and preferred search engines without the user’s consent and also tries to make itself the default browser.

Such daring behavior is not the only unwanted activity. Chromstera casually redirects search queries to other search engines, at times completely unknown ones. Resulting queries contain excessive amounts of search ads. Also, the user’s internet activity in Chromstera, including browsing history and search queries, and some sensitive data, is transferred to the third-party server.

Chromstera has an official website, but bundles are the most popular distribution method for this unwanted software. When you try to download it from the official website, it returns the 404 error. However, freeware and cracked programs may include Chromstera Browser in the bundle. Some users reported that this software appeared on their system after clicking on a banner, meaning that this unwanted program is no stranger to malvertising.

Is Chromstera Safe?

Although Chromstera Browser is not malware, it has deservedly earned the title of unwanted software. This is primarily due to its monetization method, which involves forcibly redirecting all search queries to Yahoo or Bing. In addition, search adverts can lead to dubious or malicious sites.

The answer becomes obvious if you look at the information that the browser collects. Data collection includes search queries, URLs visited, web pages viewed, IP addresses, internet cookies, usernames/passwords, personal information, and credit card numbers. Further, all of this information is usually sold to third parties.

Runtime Tests

Let’s examine Chromstera Browser’s behavior. When I tried to download it from the official website – chromstera[.]com, I got a 404 error and had to download it from somewhere else.

Unlike Google Chrome, Chromstera has a classic installer. After installation, we see the familiar Chrome interface. However, apart from that, Chromstera is trying to be in the system by any means possible. It obsessively offers to pin a shortcut to the taskbar, make itself the default browser, etc. This browser also adds itself to the startup by default, without the user’s consent.

In the settings, the browser offers to use the standard Chromstera search without the possibility of choosing another search provider. However, if you manually add a search service, queries will still go through Bing. This is because the browser developers receive a commission for using the Bing search engine, and are willing to ignore users’ choices for this pay.

Advertising & Unwanted Programs Downloading

The main feature of Chromstera is that it is a source of adverts in the system. Sometime after installation, it starts opening tabs with advertising sites in other browsers, acting as adware. These sites may offer an extension, plugin, or program to install.

Although these programs are positioned as “recommended”, they are useless and sometimes even malicious. Overall, they flood the browsers, protecting themselves from user removal by the “managed by your organization” trick. Same as the subject, they can redirect search queries, causing even more chaos.

Malicious advertising spread by Chromstera

Malicious advertising spread by Chromstera

Malicious advertising spread by Chromstera

Aside from adware functions, Chromstera acts as a loader for other unwanted apps. It particularly installs Universal Browser and Artificius Web that I’ve written about earlier.

How To Remove Chromstera Browser?

You can remove Chromstera Browser using standard Windows tools by going to Settings > Apps and selecting the Chromstera application. However, it is likely not your system’s only potentially unwanted software. To comprehensively remove such unwanted software and its traces, I recommend using GridinSoft Anti-Malware. In addition to removal, it offers real-time protection and an Internet Security module to prevent installation of such software at the download stage.

The post Chromstera Browser appeared first on Gridinsoft Blog.

What is Universal Browser?

Universal browser is a mysterious web browser that users started to notice through the “Universal Browser Update” windows. In fact, no browser with such a name exists – this name appears exclusively in the update window. What does exist though is the Chromstera rogue browser, that is present in almost every system that displayed this strange window.

One more item in the chain that users report about is an application called Artificius Web Browser. Contrary to Universal Browser, it is an actual program – similar to Chromstera in the extent of malicious functionality and poor overall execution. One rogue browser installs a lot of unwanted apps and plugins, and two can definitely make the system unusable.

Other symptoms of this mess include:

• Chrome regularly crashes.
• Upon PC startup, the “Universal browser” initiates an update process (a potential reason for Chrome to crash).
• All of the user browser extensions are removed, with several others being addded with the “extension is managed by your organization” feature.
• The aforementioned extensions have a strange name. Users report about “AstroEllipica”, “Stell Ellipen”, and more.
• Deleting the extension in a regular way does not help, it reappears again.

How To Remove Universal Browser?

There are two ways to remove Universal Browser — automatic and manual. To remove it with minimum effort, download and run GridinSoft Anti-Malware: it will quickly find and remove all the unwanted programs present in the system. Run a Full scan to check all the disks present in the system. After the scan, consider resetting the browser settings to wipe the residual settings left after the malware activity. You can do this with GridinSoft Anti-Malware, too – go to Tools → Reset Browser Settings.

The second method involves the manual removal. Restart your computer. The “Universal browser” should start updating. Press Ctrl+Shift+Esc to open the task manager quickly. Please search it using the search bar, right-click it, and click Open file location.

Go to the file location of the application that is running. Next, delete all found files.

Alternatively, you may open This PC, search for “universal browser,” and delete all items you find. Next, try searching “chromstera” and also delete all found items. Usually, it is found in C:\Users\(your_user)\AppData\Local\Temp folder. Go to C:\program files\google\chrome\application and delete any .crx files.
To proceed, please Press Windows + R on your keyboard, type regedit, and select the OK button. Next, copy and paste the following path into the address bar and press Enter:

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome

Select the Chrome folder in the left pane of your Registry Editor.

Right-click the Chrome policy you want to remove, then select Delete.

Open Chrome and ensure the extension is removed. If it is still there, go to your extensions by clicking the three dots at the top right of your screen, selecting “extensions,” and then “manage extensions” to remove it.

The post Universal Browser appeared first on Gridinsoft Blog.

PUA:Win32/MyWebSearch Overview

PUA:Win32/MyWebSearch is a potentially unwanted application with browser hijacker elements that add extensions and toolbars to browsers. It replaces the current search engine and homepage with Mywebsearch[.]com, redirecting all the search queries through it. This obviously makes browsing uncomfortable, and may also lead to malware infections.

Usually, this unwanted software masquerades as various useful applications or browser extensions. However, its primary purpose is to collect information about the user’s online activity. This is done to further monetize this information through advertising networks and sales to third-party companies.

MyWebSearch is distributed in bundles with other programs. This method allows potentially unwanted software to be installed as “recommended software” with the main application. Another route is through ads and pop-ups on websites. PUA:Win32/MyWebSearch is often offered as a free or helpful browser extension via advertisements on websites with low credibility.

Technical Analysis

Let’s see how PUA:Win32/MyWebSearch behaves in the example of one of the samples. All samples of this family act similarly, so the information is relevant for any of them. As mentioned, this unwanted program does not enter the system purposefully.

Once launched, PUA performs some debugging/virtual environment/sandbox checks, a standard practice of any malware. It uses tricks like sleep (evasive loops) and also checks some registry keys:

HKEY_CURRENT_USER\Software\Microsoft\DirectX\UserGpuPreferences

This key contains information about using the graphics processing unit (GPU) in DirectX. In free versions of most virtualization software, there is no way to emulate a real graphics card, so the program will know it is running on a VM. Though, it is not clear why it needs this information: regardless of the result, it keeps running.

Privilege Escalation

To increase privileges, MyWebSearch changes some values in the registry, among them:

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\AppCompatFlags
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\SecuritySafe
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium

These keys may contain parameters or configurations that, if manipulated, could lead to privilege escalation. In addition, MyWebSearch can load additional DLLs and manipulate processes and files. Most file activity occurs in the temporary system folder at ProgramData\Microsoft\Windows\WER\Temp. And this is concerning, since playing with DLL sideloading and WER is a typical way for dropper malware to deliver other malicious programs.

Data Collection

Next, PUA:Win32/MyWebSearch collects some data about the user’s activity. This includes user activity hours, search queries, browser history, etc. It also checks device information, including software policies, keyboard layouts, volume data, and Windows system information.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\MUI\UILanguages\en-US
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\CustomLocale
HKEY_CURRENT_USER\Keyboard Layout\Preload

It is worth noting that PUA does not steal passwords or other confidential information. Also, the application Creates a DirectInput object. However, this does not mean that it steals input data. Rather, it is a standard requirement for hotkeys to function.

Browser Modifications

PUA changes the web browser settings, replacing the homepage and the search engine with Mywebsearch[.]com[.]au. It is one of the websites that these malicious program use as command servers, with Mywebsearch[.]com being the main one.

It also adds a toolbar or extension to the browser, that will direct your search queries to a different search engine. This toolbar, at the same time, displays promoted services – another ad integration in this unwanted program.

How To Remove MyWebSearch?

It is recommended that an advanced antivirus solution be used to remove MyWebSearch. A regular system antivirus solution may not be enough since it is not malware but an unwanted application. So, GridinSoft Anti-Malware would be the best option because, besides removing PUA itself, it allows you to reset web browsers in two clicks, thus saving the user from having to clean browsers manually.

To remove it, run GridinSoft Anti-Malware, run a full scan, and just go with the flow. Next, go to the “Tools” tab and select “Reset Browser Settings”. Next, choose which browsers to reset and click “Reset”. In addition, you can also select further which settings you want to reset, for example, some system settings or the HOSTS file.

The post PUA:Win32/MyWebSearch appeared first on Gridinsoft Blog.

This malware uses different detection evasion, anti-analysis, and persistence tactics. Although primarily positioned as adware, it can deliver other adware-like applications and log keystrokes.

Personal cybersecurity is more important than ever. GridinSoft Anti-Malware will remove present threats and shield your system against possible new ones. Get yourself proper protection

SMApps Overview

SMApps is malware that falls under the designation of adware and browser hijackers. This malware mainly targets altering web browser settings, mainly ones around search engines and homepages. After typing a search query on Google.com, a redirect to Bangsearch[.]pro occurs instead of the expected search results.

Aside from Bangsearch, SMApps can promote literally any other engine, depending on who pays. Even when it throws the user to Yahoo or Bing, the results appear to be altered and may contain harmful content. In addition, fake search systems often collect sensitive user data, to a much bigger extent than more usual search providers.

At first glance, it may appear to be just annoying, as the majority of adware viruses. However, this is different. Detailed analysis has shown that SMApps can steal sensitive information from the victim’s device and redirect search queries. It can capture keystrokes, collect process information, and install additional payload (usually other adware). This thing’s removal is tricky regardless of the infection path because the malware uses various tricks to avoid this. I’ve made my analysis of this threat, finding all the tricks it does in the infected system – you can see it below.

Key spreading places for SMApps virus are websites that distribute hacked software, and malicious ads. Shady pages with add-ons or mods to popular games do their contribute to this malware spreading. Moreover, this thing can spread by itself, replicating the files to USB drives, effectively acting like a worm, so be careful with what you plug into your USB port.

Technical Analysis

It was not hard to retrieve the sample of SMApps – malware analysis platforms are filled with its samples. This one was some kind of a hack for Roblox, which checks up with what I’ve found about spreading ways. Let’s peek into its internals and in-system activities.

Initial Access

The Initial Access stage involves SMApps using various methods to gain a foothold in the target system. In the next stage, attackers may use Windows Management Instrumentation to query sensitive video device information or check if an antivirus program is installed. This acts as both system fingerprinting and analysis/VM evasion step:

IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

This is often done to detect virtual machines. It also queries the firmware table information and checks if the current process is being debugged. Additionally, it queries disk information to detect virtual machines. To hinder dynamic analysis, the program may contain medium and long sleep (>= 30 seconds and >= 3 minutes respectively) and use evasive loops.

Persistence & Privilege Escalation

SMApps gains persistence via creating or modifying Windows services, registry run keys, and startup folders.

It calls for Windows Installer to arrange its further execution, hiding the window through the command line arguments.

"C:\Windows\system32\msiexec.exe" /I "C:\Users\\AppData\Local\Temp\tmphphvtapd" /qb ACCEPTEULA=1 LicenseAccepted=1

To gain more persistence and additional privileges, this program calls for Windows Error Reporting service. This trick is rather popular these days, as it abuses the ability to relaunch the process with top privileges without calling for a UAC window.

C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 7280 -ip 7280
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3300 -ip 3300

Command Server Connection, Additional Installations

As for communications with C2, SMApps use FTP protocol and a list of pre-determined addresses to connect to. In my case, the 162.250.124.82:21 address was a primary server. However, the connection cannot boast of any rich logs – malware just sends the info about the infected system. However, more interesting stuff surfaced after giving the thing to run in the background.

As I said above, SMApps can act as a dropper. It dropped two files after installation:

IdealWeightOperator.exe
IdealWeightService.exe

These two malicious programs are pretty much the same as SMApps itself in terms of functionality. They change browser settings on top of what the original thing does, promoting questionable sites and spawning unwanted ads. Even though these threats are not really severe, the fact that it is capable of doing so is concerning.

How To Remove SMApps?

To remove SMApps, you need an effective antivirus solution. I recommend GridinSoft Anti-Malware as it will help remove this malware without much effort. Users report problems with removing this malware with the manual approach, therehence a specialized tool is required. GridinSoft program will also allow you to reset your browser in two clicks. This is especially effective when the browser has been interfered with by adware.

The post SMApps Virus appeared first on Gridinsoft Blog.

Dragon Angel Overview

Dragon Angel is a malicious browser extension that can appear in Chrome browsers. It usually appears as a result of adware activity on the system. For example, unwanted programs like Chromstera or Chromnius after installation can offer this extension to the main browser. Users complain about it continuously appearing unless the source of the problem – the malignant browser – is removed.

The purpose for such plugins is search query redirection. Frauds who stand behind it force every single search request that you do to go through their servers. By forming a digital fingerprint of their victims, they earn money after selling it to third parties. I’ve did a comprehensive analysis of Dragon Angel, and found a couple of really interesting details – so read on.

Dragon Angel Detailed Analysis

Dragon Angel appears on your device due to the activity of unwanted software. It is often the result of potentially unwanted software that comes bundled with freeware or software cracks. Although most installers allow you to cancel installing additional software, unscrupulous developers may remove this option.

Search Redirects

Once installed, the extension changes the homepage and some browser settings. It also forcibly redirects all search queries through Dragonboss search engine. It eventually ends up on a legit search engine page, usually Yahoo or Bing, but during these redirections, the said search engine will collect the info about your request. Also, the search results after such a multi-step operation are different from what you would get after a direct request to the search systems.

What this means is the victims will see promotions instead of relevant search results. These promos mostly contain sponsored websites – gambling, adult sites or marketplaces who paid for the ads. At the same time, this advertising can lead to phishing websites or malware downloading pages.

Difficulties With Removal

The biggest problem for the average user is that Dragon Angel uses self-defense measures. After installation, the malware modifies registry settings to disable the ability to remove extensions from the browser or change homepage settings. This eventually leads to the infamous “Managed by Your Organization” error in Chrome, and complete inability to remove the extension.

According to the feedback from users who have encountered this plugin, the severity of this problem forces users to reset their PCs. This is the ultimate solution, but it will result in data loss, and feels like hunting sparrows with a tank gun. Fortunately, I have a solution to that problem without data loss. We will discuss it next.

Not by Dragon Angel Alone

During the analysis, I found other extensions from this “developer” called Dragon Honey and Dragon Search. All of them share the same logo, and the same purpose – redirecting user queries through their own search engine. However, this is not the last finding of my research.

The exact same “developer” has another project called Chromnius Browser. It is a browser based on Chromium core, obviously, and does not feature any remarkable qualities. Promotions say that Chromnius is a Web browser that provides better security while browsing online by blocking pop-ups and tracker cookies. Though a closer analysis clearly shows that Chromnius is just yet another adware that tries to look as web browser. It can infect other browsers, send pop-up notifications without user concent and redirect search queries.

How To Remove Dragon Honey

First, I strongly recommend scanning your device for malware. This will neutralize software that modifies system settings. To do this, download GridinSoft Anti-Malware and run a full scan. This will find the malware that initiates browser manipulation. In addition, GridinSoft Anti-Malware allows you to reset your web browser settings entirely in one click. This is especially useful if previous methods have failed.

Next, if you see this “Managed by your organisation” message when opening the browser menu in Google Chrome, there are two ways to remove Dragon Honey; we will look at them now. The first one is automatic and will work for most users. To regain control of the browser, you must follow these instructions to download the file and run it as an administrator. This will remove the entry from the registry, which will not allow you to change the browser settings.

The second method involves all the same, only in manual mode. To do this, press Windows + R on your keyboard, type “regedit“, and select the OK button

Copy the following path and paste it into the address bar, and press Enter:

Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome

Select the Chrome key from the left pane of your Registry Editor. Right-click on the Chrome policy you want to remove and select Delete.

The post Dragon Angel Malicious Browser Extension appeared first on Gridinsoft Blog.

Let’s figure out what this scam is, and how to stop Re-Captha-Version pop-ups.

What are Re-Captha-Version pop-up notifications?

Re-Captha-Version is a browser notification spam campaign that takes place on an eponymous website. An entire network of such sites has similar names and content. All of them aim at one thing – forcing users to allow notifications, under the guise of anti-robot captcha. This makes possible the main course of this scam – huge numbers of pop-ups that flood both the web browser and system notifications.

List of domains involved in the scam

Websites like Re-Captha-Version commonly appear after the redirection from another site, or following the click on the suspicious banner somewhere on the Web. If you try visiting such websites apart from the malicious redirections, they will likely return a white screen or various error messages. In some cases, they work, but the content is the same as the first time – just the offer to enable pop-up notifications.

But what for all this is running? Promotions that such websites show are extremely cheap, but their volume multiplied by the number of victims gives quite a substantial profit. Considering that these frauds will advertise other malicious actors, the profit may be smeared through several cybercriminal groups. And while there are ways to earn more, and in a legitimate way, pop-up spam campaigns are extremely easy to run. This is what causes these fraudulent sites to keep going.

How dangerous are Re-Captha-Version pop-up notifications?

Despite what they look like, pop-ups are a rather dangerous thing, especially when dozens of them appear in a short period. The main effect is distraction: pop-ups will keep appearing even after closing the browser. They clutter the notification tray, making it impossible to find the alerts you need.

But the key danger hides in the content of those promotions. Pages and offers they promote are not even remotely relevant. Moreover, the links these advertisements lead to are often just clickbait websites or outright phishing pages. The longer all this happens, the more likely for the user to accidentally click one and get into a sticky situation.

How to remove Re-Captha-Version?

Removing pop-ups from the browser involves two steps – disallowing sending notifications to all sites and scanning your system for threats. The first one is manual – you need to go to your browser settings, open the page with notification settings and delete all entries there. Then, reload your browser for the changes to take effect.

Disabling browser pop-ups (scroll images)

For the second step – scanning for threats – I recommend using GridinSoft Anti-Malware. Ads can lead to the installation of unwanted software. But aside from this, the appearance of Re-Captha-Version website may be the sign of adware activity. To ensure that your device is clean, run a Standard scan and let it finish – it won’t take long.

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

The post Re-Captha-Version Pop-Up Virus appeared first on Gridinsoft Blog.