Antivirus

Fake Ad Blocker: It Locks Up Files & Hijacks PCs To Mine Cryptocurrency

Think Twice Before You Install An AdBlocker On Your Device, You Won’t Realize But It Might Be A Malware! 

Since the beginning of February, several applications were spotted, injecting Monero Cryptocurrency Miner into users’ computers. According to the Kaspersky Report, these (Cryptominer + Ransomware codes) were distributed via malicious websites that randomly appeared in the user’s search feeds. The hybrid Malware (mostly disguised as an antivirus installer) targeted more than 2,500 users a day, this time disguised as an ad blocker and OpenDNS Service

“According to the recent stats, hybrid malware has infected over 20,000 users since the starting of February.” 

Technical Details

The hybrid malware is distributed under the name – AdShield Pro, a Windows version of the AdShield Mobile Ad Blocker. Once the user installs the ad blocker, the DNS settings get automatically altered on the device. Hence, all the domains get resolved from the attacker’s end. This further prevents the victims from accessing their current antivirus program, and the computer gets no protection at all against potential trojans. 

That’s Not All, The Situation Gets Even Worse. How? Read On!

The story doesn’t end here! The malware additionally installs a legitimate version of the Transmission BitTorrent Client on your computer to create a backdoor for hackers, so that they can remotely access your PC.  

Once the DNS servers are substituted successfully, the malware starts updating itself by running the executable file – update.exe with the argument self-upgrade (“C:\Program Files (x86)\AdShield\updater.exe” -self-upgrade).The self-updater file contacts C&C and sends all the essential information related to the infected machine, starting from the installation process. Some of the command lines in this executable file are thoroughly encrypted so that the static detection process gets more difficult.  

Updater.exe code snippet containing the encrypted address!

Further, the executable file downloads from the site transmissionbt[.]org, where a modified version of Transmission Torrent Client runs. In this entire process, the malware sends all the essential information related to the infected machine to C&C and downloads the mining module from it. 

Letting C&C know about the successful installation!

No matter how this annoying AdBlocker gets a space on your device, the freaky malicious code can disperse all over your disk space and locks up the data and start mining the Monero Cryptocurrency. Hackers execute the – servicecheck_XX task in the Windows Task Scheduler, to ensure continuous operations.

How To Get Rid Of The Miner?

According to Kaspersky’s recent blog post, the miner can be removed by simply reinstalling the impersonated file with the legitimate one from official resources. If you find a flock.exe file running on your system, simply end the process and uninstall adblockers like AdShield, NetShieldKit, OpenDNS, and the Transmission torrent. You should consider removing the following folders if found: 

Finally, complete the process by deleting the servicecheck_XX task from Windows Task Scheduler. 

Ultimate Solution To Avoid Such Infections In Future

Running the best antivirus software should be your top priority to avoid such infections in the first place. We recommend running Systweak Antivirus on your Windows PC since it has all the potential to detect and eliminate almost every kind of threat before it can be installed or become harmful for your device. Systweak Antivirus boasts the following highlights: 

  • Real-time protection. 
  • Runs in the background without hampering the performance. 
  • Analyses the actions of installed apps, so that necessary actions can be taken on time. 
  • Maintains logs of all the threats detected. 
  • Scans the entire nook & cranny of the system to provide maximum protection. 
  • Lightweight antivirus for Windows. Doesn’t consume system resources much! 
  • Multiple scanning modes: Quick Scan, Deep Scan, Custom Scan to scan most vulnerable areas of the system quickly & effectively. 
  • Promotes secure web browsing by offering a dedicated ad blocker – StopAll Ads to block all the potentially harmful advertisements & links that might track your online/offline activity. 
  • Exploit Protection to locate and eliminate PUPs (Potentially Unwanted Programs). 
  • Checks, manages & removes startup items that may slow down the boot time. 

How Do I Use Systweak Antivirus?

With all such an interactive set of features, Systweak Antivirus is simply designed to give you the best protection as conveniently possible. To safeguard your system, follow the steps below and learn how to use Systweak Antivirus

STEP 1- Install Systweak Antivirus and the security application will launch automatically. 

STEP 2- From the main dashboard, click on the magnifying glass icon and choose the desired scanning mode. Quick Scan, Deep Scan, or Custom Scan!

STEP 3- Confirm your scanning process and let the PC Security Solution scan the entire nook and cranny of your system and eliminate all the potential threats from your system! 

You’ll get the alert – Your PC is protected from harmful threats! 

If you want adblocking with no fuss, you can even try switching to Brave Browser. If you have ever installed or used AdShield Pro, do let us know your experience in the comments section below!

Leave a comment