Adware Taking Cues from APT

October 11, 2014

The Dell SonicWALL Threats Research Team has recently encountered an interesting case of adware that includes some unexpected features, reminiscent of the Flame/SkyWiper cyber espionage malware.

Infection Cycle

The adware package is a typical Nullsoft Installer bundle, but the primary payload is a binary that includes a built-in Lua interpreter. This payload is installed as a system service upon execution.

Once the service is initiated, it attempts to download the main Lua script.

The malware downloads a Lua script

The Lua script payload itself contains over 2500 lines of code. The purpose of the script is to provide a remote command and control method, as the primary function of the script periodically checks remote servers for additional scripts and commands to run on the local system.

Examination of Lua code shows download and execution capabilities

After the Lua code launches, it fetches another binary from remote servers. In this case, a Windows DLL is downloaded and is launched via the existing service process. This DLL provides additional backdoor functionality and includes its own hardcoded command and control addresses.

Hardcoded addresses found inside the DLL module

Much like the Lua script, the DLL is capable of downloading and executing additional payloads.

The DLL includes several functions to drop and execute additional payloads

Indicators of Compromise

In order to persist on the target machine, the malware installs itself as a system service named "Updater" to be launched at boot time. The registry entry for the service is shown below.

The registry entry for the malicious system service

The malware creates several randomized mutexes per thread as shown below.

The malware process spawns a number of randomly-named mutexes


Overall, the purpose of this malware is to provide an initial infection vector to download additional components and achieve persistence on a target machine. Dell SonicWALL Gateway Anti-Virus provides protection against this threat with the following signatures:

  • GAV: AdPeak.B
  • GAV: Proxy.B

A special thanks to Brad Arndt for assistance in initial identification and information gathering.