Just to show you that behind some PUPs there are threat actors that are too lazy to be bothered, we offer you a fake online scanner that was used to promote the infamous MacKeeper and a Windows system optimizer called Advance-System-Care.
Windows
The redirect scheme on a Windows machine looked like this.
From a compromised website we were re-directed to systemcheck[.]club where we got this popup:
Clicking “OK” offered to start an online scan –
Thankfully these helpful people knew just the tool to remove this virus from our PC and brought us to www[.]advancepctools[.]info:
Here we installed Advance-System-Care which did not find the virus, but nevertheless had some very important tips on how to improve the system’s performance.
Pro tip: that phone number will not work as there is a format error in it.“>
That Advance-System-Care did not find the alleged virus is not surprising as Tapsnake is an Android infection that doesn’t work on Windows machines.
One other thing that did puzzle me, was that I also got this prompt while visiting the systemcheck[.]club site:
A Windows Internet Explorer prompt letting me know that: “VIRUS FOUND. It is necessary repair your Mac. Please do not leave the page. Click OK to begin the repair process.”“>
But when I showed this to our Mac researchers they had a very plausible explanation for this. Exactly the same fake scan is used to push MacKeeper on Mac systems.
Mac
My colleague @thomasareed recorded the proceedings on a Mac system, leading to the install of MacKeeper:
https://www.youtube.com/watch?v=BjUhGJFnrwY As you can see the scan and the scan-results are exactly the same. Only MacKeeper is consistent by finding the same threat (Tapsnake) on the system.
The installer for Advance-System-Care is detected as PUP.Optional.AdvanceSystemCare
SHA256: 164cb18150d242e88de70b9f0e35478ab9aab88e0b723472dfdc278f6ea025da
Malwarebytes removes Advance-System-Care completely. A removal guide for Advance-System-Care can be found on our forums.
Special thanks to @thomasareed for sharing his research on the Mac side and @MysteryFCM for pointing out the URL.
Pieter Arntz