PBot: This evolving adware installs malicious browser extensions
Security researchers at the Kaspersky Lab have discovered a new Python-based adware that are targeting Windows-based computers.
Dubbed PBot, or PythonBot, the adware not only floods an infected computer with advertisements but also installs malicious ad extensions in the browser and hidden cryptocurrency miner on victim’s computer.
The researchers had discovered the first member of the PBot family over a year ago, and since then the adware has evolved with several modifications to the program. In April itself, the company detected more than 50,000 attempts to install PBot on computers of users of Kaspersky Lab products.
The number of attempts is increasing indicating that this adware is on the rise. The most affected users are from Russia, Ukraine, and Kazakhstan.
“Developers are constantly releasing new versions of this modification, each of which complicates the script obfuscation,” wrote Kaspersky’s Anton V. Ivanov in a blog post.
“Another distinctive feature of this PBot variation is the presence of a module that updates scripts and downloads fresh browser extensions.”
The browser extension installed by PBot basically adds various banners to the page and redirects the user to advertising sites to generate revenue. All this while, the cryptominer uses computing power (CPU) of the system to generate cryptocurrency.
At present, PBot is distributed through malicious partner sites whose pages implement scripts to redirect users to sponsored links. Once the user visits the partner site, clicking anywhere on the page opens a new browser window with an intermediate link that redirects the user to the PBot download page. Further, clicking on the link downloads an “.hta” file, which once clicked downloads the PBot installer.
“In pursuit of profit, adware owners often resort to installing their products on the sly, and PBot developers are no exception. They release new versions (and update them on user computers), complicating their obfuscation to bypass protection systems,” Ivanov concluded.
If you are a Windows user, it is suggested that you do not click on links sent by unknown senders and also avoid visiting unknown sites. Also, ensure that your computer is up-to-date.