Adware PBot upgrade to install cryptocurrency miner

Anton V. Ivanov, a security researcher from Kaspersky Lab, said in a blog post published on Tuesday that they discovered the first version of the PBot (PythonBot) malicious adware more than a year ago. It was named because its core module writes in Python.

Since then, all versions that have appeared one after another have been procedurally modified to some degree, and one version seems to have gone beyond the scope of advertising software because it will install a crypto-money miner on the infected computer.

Ivanov pointed out that the other PBot versions they detected were limited to playing advertisements that were not expected to see on the web pages visited by the victims. Also, they initially tried to inject a malicious DLL into the browser. The difference is that the first version displays advertisements on web pages by running JS scripts, while the second version does not do so, it chose to install ad extensions in the browser.

The developers of PBot are more interested in the latter, they are continually making changes based on it, to release new variants, and confusing each option. Another unique feature of the second version of the Pbot modification is that it provides a module that can be used to update scripts and download new browser extensions.

In April of this year, researchers at Kaspersky Lab noted that there were more than 50,000 attempts to install PBot on the computers of their product users. And this number is still increasing, indicating that this adware is even being distributed. Among them, the most severely affected are Russia, Ukraine and Kazakhstan.

As malicious adware, the purpose of PBot is to redirect users to their sponsors’ websites by displaying advertisements, thereby bringing benefits to their developers. This is a relatively old way of making money, and it needs to survive from the browser vendor’s continuously improving ad-blocking technology.

Also, the developers of PBot also seem to be not very satisfied with the existing revenue. The rush of cryptocurrency has indeed attracted enough attention, not just investors but also cybercriminals. The crypto-money miners mentioned above have been proven to be able to mine Bitcoin and Litecoin. No surprise, PBot developers seem to want to take place in the industry of cryptocurrency mining.

In the end, it is worth proposing that no matter what version of PBot, it aims at running Windows computers. Given the popularity of Windows, we recommend that computer users should maintain good habits of using anti-virus products to avoid such malicious software.

Source, Image: securelist