Recently we noticed a change on one of the domains that we monitor because they are known to host files related to tech support scams and involved in browlocks, fake alerts, and screenlockers.
The domain and the screenlockerAt the moment the installer is being pushed by InstallCapital which is a pay-per-install network .
The domain hosting the installer is called installreports[dot]com and this time we found it was hosting a tech support screenlocker we dubbed Advanis after the folder it creates in the Windows directory and the entry it creates in the list of installed programs and features.
MT is the name of the main executable. The one that shows the screenlocker. Here it is probably short for “Market Tools”, which is the name of the Windows form.
Resolution@TheWack0lian found this code snippet –
--telling us that the screenlocker could be minimized by using the “Backspace” key. Once you have done that, removal is no problem. A full removal guide for Advanis can be found on our forums.
File detailsSHA 256 of the installer 30a32cb629d2a576288b4536d241b6e90f0540c3275288bfd4982233e12d182f
Malwarebytes web protection module blocks the domain and detects the installer as Trojan.TechSupportScam.
The advertised number on the lockscreen leads back to the domain getfixpc[dot]net.
AttributionFinding out who is behind a threat is not always easy, but we think we have a solid case for this one.
Meet Baskar K.
He registered the domain installreports[dot]com with the email address: firstname.lastname@example.org.
Using his own name and providing his phone number and physical address.
The same personal data was used to register brmediahub.com
That domain is listed as the homepage at the stackoverflow profile I posted a screenshot of.
For the same physical address we also found an email address email@example.com that has been used to register a host of dubious domains:
Thanks to TheWack0lian and William Tsing for their additional research.