Adware Taking Cues from APT

The Dell SonicWALL Threats Research Team has recently encountered an interesting case of adware that includes some unexpected features, reminiscent of the Flame/SkyWiper cyber espionage malware.

Infection Cycle

The adware package is a typical Nullsoft Installer bundle, but the primary payload is a binary that includes a built-in Lua interpreter. This payload is installed as a system service upon execution.

Once the service is initiated, it attempts to download the main Lua script.

The Lua script payload itself contains over 2500 lines of code. The purpose of the script is to provide a remote command and control method, as the primary function of the script periodically checks remote servers for additional scripts and commands to run on the local system.

After the Lua code launches, it fetches another binary from remote servers. In this case, a Windows DLL is downloaded and is launched via the existing service process. This DLL provides additional backdoor functionality and includes its own hardcoded command and control addresses.

Much like the Lua script, the DLL is capable of downloading and executing additional payloads.

Indicators of Compromise

In order to persist on the target machine, the malware installs itself as a system service named "Updater" to be launched at boot time. The registry entry for the service is shown below.

The malware creates several randomized mutexes per thread as shown below.

Summary

Overall, the purpose of this malware is to provide an initial infection vector to download additional components and achieve persistence on a target machine. Dell SonicWALL Gateway Anti-Virus provides protection against this threat with the following signatures:

• GAV: AdPeak.B
• GAV: Proxy.B

A special thanks to Brad Arndt for assistance in initial identification and information gathering.