A NodeJS Webkit application that executes in its own browser, AdSearch exploded onto the scene in 2022, rising from obscurity to the summer’s most prevalent threat.Pairs with this song
It can be heartbreaking when you click on an online ad for a miracle product and end up with malware instead. That tummy-flattening tea is in fact too good to be true.
In early January 2022, multiple threat researchers began tweeting about a new threat, dubbed ChromeLoader, being delivered by malvertising links that delivered a malware dropper within an ISO image. Within the ISO, the ChromeLoader payload consisted of a .NET assembly, often named
CS_installer.exe, which in turn decoded and executed an obfuscated PowerShell script stored within a TXT file, also found within the ISO. This PowerShell script then downloaded a ZIP file containing a malicious browser extension and would launch, or kill and re-launch, the browser with this extension running. The browser extension contained two functions—one to open custom ad content in new browser tabs and another to intercept search engine queries and send the user’s query contents to the ChromeLoader C2 server. Red Canary began tracking and detecting ChromeLoader via a variety of detection analytics, mostly related to PowerShell.
By the end of January 2022, references to a
Tone.exe virus began popping up on internet forums and software identification sites. Similarly delivered via malvertising links serving an ISO image, Red Canary began observing an increasing volume of this activity in March. While the initial access was the same as ChromeLoader, the payload within the ISO image and subsequent behavior followed a different pattern.
In contrast to the .NET EXE and PowerShell TXT file in ChromeLoader, these ISO images contained LNK, BAT, and ZIP files. When the user clicked on the link (often masquerading as
install.lnk), the BAT script would execute a
tar.exe command to extract an EXE from the ZIP archive, as well as establish persistence for the extracted binary via a
reg.exe command. The extracted binary, typically named
Tone.exe in early versions, was a NodeJS Webkit application containing an instance of the Chromium browser. Executed via run key persistence, this process kept running in the background, making multiple network connections and offering no avenue for user interaction. As this behavior was significantly different than the PowerShell activity we observed with ChromeLoader, we began tracking this payload as AdSearch, adopting the predominant name returned in VirusTotal alerts.
While AdSearch’s LNK/BAT/ZIP behavior remained consistent throughout the year, the filenames varied over time.
Tone.exe was quickly joined by
Energy.exe, and other common words uncommonly seen as process names. This blog from VMware shows a timeline of the filename variations as of September. VMware’s report, as well as Unit42’s July report on ChromeLoader both suggest that AdSearch binaries may eventually lead to ChromeLoader PowerShell activity to install the aforementioned malicious browser extension.
While Red Canary continued to observe the ChromeLoader PowerShell behavior via the ISO initial access and PowerShell persistence throughout most of 2022, we have yet to observe any ChromeLoader behavior stemming from an AdSearch binary. Additionally, VMware’s report also noted additional payloads, including ZipBombs and Enigma ransomware, observed being delivered via the same malvertising ISO images that delivered ChromeLoader and AdSearch. While Red Canary has not observed any payloads other than ChromeLoader or AdSearch within the ISO files delivered in these ISO malvertising campaigns, VMware’s findings further support our decision to track AdSearch separately from ChromeLoader. Whether ChromeLoader and AdSearch are in fact different components of one adversary’s larger toolset or simply two distinct payloads being delivered by a common malvertising affiliate, these threats made a sizable impact on the threat landscape in 2022.
Most users do not have a need to interact with ISO disk images on a regular basis. As such, one option to slow the spread of AdSearch and ChromeLoader is to use a Group Policy Object to associate files with the
.iso extension with an application like
notepad.exe. This will prevent the ISO from mounting when double-clicked.
One reliable method we used to detect AdSearch came from scrutinizing new persistence mechanisms. While many legitimate applications leverage the
CurrentVersion\Run key for persistence, it is relatively uncommon for this persistence to be enabled by running
reg.exe to modify the registry key. This detection analytic may at first be noisy in some environments, but we have had success tuning out the noise to yield sufficiently lucrative logic with more needles than hay in the stack.
command_includes ('reg add') && command_includes ('currentversion\run')
More recently, we have observed AdSearch leveraging a script to write a link to the executable in the Windows Startup folder for persistence. Similar to the detection analytic above, this opportunity may require some tuning, but scrutinizing scripts that are establishing persistence in your environment can prove fruitful for finding a variety of threats.
process == ('cscript') && filemod_includes ('start menu\programs\startup') && command_includes ('appdata' || 'programdata' || 'temp')
Atomic Red Team includes a long list of tests for T1112: Modify Registry, including one that modifies the registry for the currently logged-in user by leveraging
reg.exe commands in the command shell. While the test comes close to emulating the first detection opportunity above, testers will need to modify the test to include the
As for the second detection opportunity, atomic test #4 for T1547.001: Registry Run Keys / Startup Folder puts a VBS file in the startup folder for persistence. While the ultimate purpose of the test is different, it should stimulate all of the components of the above detection opportunity.