The main feature of the DealPly adware is to install browser extensions that display advertisements in the victim’s browser.
“Besides of modular code, machine fingerprinting, VM detection techniques and robust C&C infrastructure, the most intriguing discovery was the way DealPly abuses Microsoft and McAfee reputation services to remain under the radar. Microsoft SmartScreen and McAfee WebAdvisor provide threat intelligence verdicts on files and URLs and are free to use. ”
This new variant abuses Microsoft and McAfee reputation services
To avoid being blacklisted by Microsoft while querying the SmartScreen reputation service,
Upon initial execution, the SmartScreen module implemented by the adware will automatically deliver an empty request to the C2 server that in turn will reply with an XML formatted message containing information such as hashes/urls to be queried using the SmartScreen.
The SmartScreen reputation server appends an Authorization header that is used to prevent unwanted alterations of the requests.
The response sent by the SmartScreen includes a string describing the checked URL. The
• UNKN – Unknown URL/File
• MLWR- Malware related URL/File
• PHSH – Phishing related URL/File
Experts highlighted the fact that the SmartScreen API is undocumented, this means that the author of the malware has spent a significant effort in reverse engineering the inner workings of the SmartScreen mechanism\feature.
Experts noticed that the
As anticipated, the adware also abuses McAfee’s WebAdvisor reputation service.
DealPly will send a request to the WebAdvisor service via the https://webadvisorc.rest.gti.mcafee.com/1 URL and will get data from the response.
“In this blog we present an innovative technique adopted by DealPly operators to automate the evasion from AV products
“This technique was initially observed when analyzing DealPly adware, yet we believe that it is only a matter of time before advanced malware operations will follow the trend.”