New Adware Campaign Targets Meta Quest Users: Here's What You Need to Know
A new campaign is tricking users searching for the Meta Quest (formerly Oculus) application for Windows into downloading a new adware family called AdsExhaust.
"The adware is capable of exfiltrating screenshots from infected devices and interacting with browsers using simulated keystrokes," cybersecurity firm eSentire said in an analysis, adding it identified the activity earlier this month.
How It Works
AdsExhaust functionalities allow it to:
- Automatically click through advertisements or redirect the browser to specific URLs, generating revenue for the adware operators.
The initial infection chain includes:
- Surfacing a bogus website ("oculus-app[.]com") on Google search results using search engine optimization (SEO) poisoning techniques.
- Prompting unsuspecting users to download a ZIP archive ("oculus-app.EXE.zip") containing a Windows batch script.
Deep Analysis
The batch script is designed to:
- Fetch a second batch script from a command-and-control (C2) server.
- Create scheduled tasks on the machine to run the batch scripts at different times.
Following this, the script:
- Downloads the legitimate app onto the compromised host.
- Drops additional Visual Basic Script (VBS) files and PowerShell scripts to gather IP and system information, capture screenshots, and exfiltrate data to a remote server ("us11[.]org/in.php").
The server response returns the PowerShell-based AdsExhaust adware, which:
- Checks if Microsoft's Edge browser is running.
- Determines the last time a user input occurred.
Behavior of AdsExhaust
eSentire Explained:
- If Edge is running and the system is idle for more than 9 minutes, the script injects clicks, opens new tabs, and navigates to URLs embedded in the script.
- It then randomly scrolls up and down the opened page.
- This activity likely triggers elements like ads on the web page, achieving unauthorized ad revenues.
The adware also:
- Closes opened browsers if mouse movement or user interaction is detected.
- Creates overlays to hide its activity.
- Searches for the word "Sponsored" in Edge to click on ads and inflate ad revenue.
Additionally, AdsExhaust can:
- Fetch a list of keywords from a remote server.
- Perform Google searches for those keywords.
- Launch Edge sessions via the Start-Process PowerShell command.
A Broader Context
AdsExhaust is part of a larger trend where similar fake IT support websites deliver Hijack Loader (aka IDAT Loader), leading to a Vidar Stealer infection. The attack utilizes YouTube videos and bots to post fraudulent comments, giving the site legitimacy.
eSentire Commented:
"This highlights the effectiveness of social engineering tactics and the need for users to be cautious about the authenticity of the solutions they find online."
Other Noteworthy Campaigns
Another recent development involves a malspam campaign targeting Italian users with invoice-themed ZIP archive lures. This campaign delivers a Java-based remote access trojan named Adwind.
Symantec, owned by Broadcom, reported:
- Users receive HTML files like INVOICE.html or DOCUMENT.html that lead to malicious .jar files.
- The final payload is the Adwind remote access trojan (RAT), providing attackers with control over the compromised endpoint for data collection and exfiltration.
Key Takeaway
Be vigilant and always verify the authenticity of the applications and websites you engage with, particularly when searching for solutions online. Cyber threats like AdsExhaust and Hijack Loader can compromise your system and data, making it crucial to exercise caution.
