14 DAY TRIAL // Security researchers from GFI warn that cyber criminals pushing click fraud trojans have adopted distribution techniques commonly seen in scareware schemes.
First of all, according to experts, this is one of the first browser-aware schemes used to distribute this type of malware and appears to target Chrome and Firefox users specifically.
The trojan, part of the 2GCash family, is distributed from a domain resgistered through a free dynamic DNS provider.
Security researchers don't mention how users end up on this page, but they are most likely taken through several redirects, possibly after clicking on malicious search results.
One interesting aspect of this attack is that Internet Explorer users get redirected to usa.gov, a legitimate website, while people using other browsers are served malicious files for download.
For example, Google Chrome users will be prompted to download and install a Flash Player update called v11_flash_AV.exe, even though the browser comes with a bundled Flash plug-in that gets updated regularly.
Meanwhile, Firefox users will see a fake "what's new" page that similarly claims that Flash Player is outdated. This mimics the page that normally appears after Firefox is upgraded to a new version and actually performs a check to see if installed plug-ins are up to date.
However, despite warning about an old version of Flash Player, the file served for download is called ff-update.exe. Both files install the same 2GCash variant, a trojan used to perform click fraud and hijack people's search results.
This allows the cyber criminals to monetize their creation. However, the malware can also act as a downloader for additional threats, including PDF exploits and scareware.
One interesting aspect of newer 2GCash variants is their ability to detect virtual machines. This makes it harder for researchers to analyze it because most of them use VMs.
"They also tend to rotate variants almost every 6 to 12 hours as a method to try and evade detection," the GFI security researchers warn.