enSilo: The DealPly adware is evolving, the malware abuses Microsoft and McAfee reputation services to remain under the radar
DealPly adware is evolving: there is a new variant of the malware that abuses Microsoft and McAfee reputation services to remain under the radar. It has been discovered by enSilo cyber security experts. With the data from these services, the life-span for the Adware’s installers and components can be prolonged as changes are required only once they are known to be blacklisted. Such techniques are not relevant solely to Adware and may be adopted by malware authors as well. One of the most common infection vectors used by cybercrime operators is tempting users into downloading legitimate software installers bundled with their Adware through websites that offer free software downloads. This is the lure. When executed, it secretly rans the malicious code as part of the installation process. It then copies itself to the users %AppData% directory and adds persistency.
How the cybercrime malicious code works
According to the cyber security experts, DealPly is divided into different modules that work together in order to achieve its goal. While each one is responsible for a different role, all modules have a similar structure and some similar functions such as a string decryption routines. The cybercrime’s purpose behind this is to avoid detection and decrease the malware footprint by deploying only the components needed for the specific target. DealPly is executed by the task scheduler every hour. Each time the task is invoked, DealPly will contact the C&C at cwnpu.com and send an encrypted request over HTTP. This information contains indicators for detecting if the running host is a virtual machine and other details on the machine as host fingerprinting, sleep button and battery indication, and Mac address.
The cyber security experts: It is only a matter of time before advanced malware operations will follow the trend
Furthermore, by constantly querying reputation services cybercrime is are able to automatically assess AV detection rate and generate new samples when needed. According to enSilo, this technique enable DealPly to always stay ahead of security solutions. This technique was initially observed when analyzing the adware, yet cyber security experts believe that it is only a matter of time before advanced malware operations will follow the trend.