Author's Note: We at Malwarebytes continue to do our part in educating our product users and constant blog readers about day-to-day online threats and how they can avoid falling prey to them. "PUP Friday", our latest attempt at getting users acquainted with files they may need to watch out for in the Wild Web, offers an in-depth look at some interesting and quite notable potentially unwanted programs (PUPs). Expect to see this type of content pushed out twice a month at the end of a work week.
For this week’s PUP Friday post, we’re going to take a look into two pieces of programs claiming to be two different security software, being housed in a domain purporting to be a safe antivirus download hub. The destination in question, however, has been known to serve a fake Malwarebytes installer. The domain is antivirus-dld[DOT]com, and users must avoid visiting it or block it with their browsers.
Below are screenshots of its subdomains where users can supposedly download the AVG and AdwCleaner programs:Although both installers show differences in file names and hashes, they exhibit more identical markings than what we see on the surface. Malwarebytes Anti-Malware (MBAM) detects both files as PUP.Optional.BundleInstaller. AV engines detect these as variants of the SoftPulse family.
Below is a sequence of events in a slideshow when we tested AVG.exe.
[gallery type="slideshow" ids="10668,10669,10670,10671"]
As this "Thank you" GUI window is displayed, the supposed program, in this case AVG, is then downloaded and installed automatically. Users can't see this happening at first because the installer's GUI is overlaying the real program's GUI.malicious. Additionally, we did a quick look up of their “24/7 free support” phone number—(+1) 844 326 2917—to see if something comes up. It turns out that this number is also used by other domains, such as (but not limited to) the following:
For a technical but comprehensive view of what the files actually do once executed onto a system, below are links to incident response reports that you can browse, courtesy of Payload Security’s sandbox: