"The malware achieves persistence through five scheduled tasks and WMI event subscriptions that survive reboots. It also adds Windows Defender exclusions for directories used to stage future payloads, which could include cryptominers, ransomware, or infostealers."
"The most alarming discovery was in the software's update configuration. The primary domain used to deliver payload updates (chromsterabrowser[.]com) was unregistered. Anyone who purchased it could have served arbitrary code to every affected host, with no exploitation required."
Huntress researchers discovered a dangerous threat hidden in adware, initially categorized as a potentially unwanted program. The software, signed by Dragon Boss Solutions, evolved to deploy a PowerShell payload that disables cybersecurity products and maintains persistence through scheduled tasks. The primary update domain was unregistered, allowing anyone to serve malicious code to affected hosts. Huntress registered the domain and found that approximately 25,000 unique IP addresses from 124 countries sought update instructions, with the U.S. having the highest number of compromised hosts.
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]