October 16, 2015

TV series fans are often interested in news about their favorite characters and actors. Cybercriminals distributing malicious programs sometimes use this interest for their own purposes. Doctor Web security researchers have found Trojan that, among others, targets fans of one of the popular Russian series. This malicious program disguises itself as an anti-virus utility created by a well-known developer.

Trojan named Trojan.BPLug.1041 was found in the Google search results leading to the hacked webpage of a Russian TV Channel. The page is dedicated to a popular Russian series. Later it was found out that some other Internet resources also were discredited. These Internet resources were also connected with TV shows. If a user goes to the infected website from another domain and meets certain conditions (running Windows OS 32-bit or OS X with Intel architecture and any browser except Opera), malicious script opens a cybercriminal page at the tab from which a user gets to the website. A special handler incorporated into this webpage code does not allow to close this tab. If a user presses a key or clicks a mouse, the handler shows him an annoying window at the screen offering to install a browser extension. In addition, cybercriminals distribute this extension as an utility, supposedly created by a well-known anti-virus software developer.

During installation, this plug-in requires a list of particular permissions. After installation, it is shown in the list of Chrome installed extensions under the name of “Щит безопасности KIS” (KIS Security Guard).

Plug-in detected by Dr.Web Anti-virus as Trojan.BPLug.1041 contains two obfuscated JavaScript files. The main purpose of the Trojan is to inject arbitrary content into web pages loaded by a user. At all websites, the malicious program blocks showing third-party advertisement from all domains, except those that are listed in the configuration.

Separate function is responsible for showing advertisement. With the help of this function the Trojan analyzes the content of a webpage opened by a user. If its context includes sexual content, Trojan.BPLug.1041 loads advertisement of the corresponding subject from two separate networks. This extension also contains the list of websites where the Trojan does not show advertisement, among such websites are fsb.ru, gov.ru, government.ru, mos.ru, gosuslugi.ru and some other. Trojan.BPLug.1041 sends user ID and data about other Chrome extensions installed at the infected computer to the cybercriminal server. During sending data, server may specify the Trojan which extensions should be disabled.

If a user makes a log in to the “Odnoklassniki” social network, Trojan.BPLug.1041 tries to provide a certain application with the access to the API of this social network under the user name by means of the authorization by OAuth protocol. During this process, privileges are required to change the status, view, edit, and upload photos; viewing and sending messages under the user name and some others. One can assume that this feature is used by cybercriminals for various advertisement purposes, for example, for promoting groups, sending spam messages or affecting some polls.

It should be mentioned that there are three extensions under the name “Щит безопасности KIS” in Chrome extension online store. All these extensions are created by one and the same author, however two of them do not function in a proper way. The total installation number of these three plug-ins equals to 30 thousand.

Doctor Web security researchers warn users not to download and install suspicious extensions received from untrusted sources. If you cannot close a tab, appeared in your browser, you can open Task Manager available in Google Chrome menu and kill the corresponding browser process. The Trojan.BPLug.1041 signature is added to Dr.Web virus database, and the websites where this Trojan has been distributed are added to the list of the websites not recommended for visiting. The administration of the hacked websites has been timely warned about the incident.