Advanced Persistent Adware: IsErik

August 18, 2021 · frtg · 2 min read

This advisory is the result of analysis conducted by threat-intelligence analysts following the identification of a security anomaly during delivery of Managed Detection and Response (MDR) services.

Specifically, the anomaly detected is associated with a particularly invasive and persistent adware-type software: ADWARE IsErIk.

This threat, categorized as Advanced Persistent Adware, is frequently disguised as “portable” versions of commercial products or as license key generators (keygen) for commercial applications. In certain cases the software requests user permission to install additional software, causing command execution on the target machine.

System infection occurs through creation of a scheduled task designed to execute Javascript code via WScript. During incident response operations, the task name was identified as \Secured Yahoo Powered nalel, used for execution of the command:

C:\Windows\system32\wscript.exe "C:\ProgramData\{38E1FD82-B2A3-7744-3465-XXXXXXX}\tano.txt" "687474XXXXXXX636f6d" "433a5c50XXXXX237363243387d5c726572656669" "433a5c50726XXXXXXXX237363243387d5c7269646f746f64" "//B" "//E:jscript" "--IsErIk"`,

which, after verifying the presence of the --IsErIk parameter, decodes the remaining parameters and connects to the command-and-control server (in this case the URL hxxps://ddukmql[.]com) and performs POST requests, whose responses consist of additional Javascript code to be executed on the compromised system.

Indicators of Compromise

SHA256

2b89075ad9485d72bcf6548afaee7ba8d4fa0f77e874d62efd70c9c311dc406d (C:\ProgramData{38E1FD82-B2A3-7744-3465-E906AE2762C8}\tano.txt)

File Path

C:\ProgramData{38E1FD82-B2A3-7744-3465-E906AE2762C8}\tano.txt
C:\ProgramData{89F74C94-03B5-C652-8573-58101F31D3DE}\tofi.txt
C:\ProgramData{F4723111-7E30-BBD7-F8F6-259562B4AE5B}\rari.txt
C:\ProgramData{595E9C3D-D31C-16FB-55DA-88B9CF980377}\fala.txt
C:\ProgramData{19B7DCD4-93F5-5612-1533-C8508F71439E}\faso
C:\ProgramData{F3BF36DC-79FD-BC1A-FF3B-22586579A996}\doro

Domains

ddukmql[.]com
katunaq[.]com
tdfpa[.]com
qajolos[.]com
butapujo[.]com
rududulu[.]com

Cookie	Duration	Description
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt.innertube::nextId	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.

Indicators of Compromise

SHA256

File Path

Domains

Cookie & Privacy