GoKawiilA digitally signed adware tool has deployed payloads running with SYSTEM privileges that disabled antivirus protections on thousands of endpoints, some in the educational, utilities, government, and healthcare sectors.
In a single day, researchers observed more than 23,500 infected hosts in 124 countries trying to connect to the operator's infrastructure, with hundreds of infected endpoints present in high-value networks.
More than just adware
Security researchers at managed security company Huntress discovered the campaign on March 22, when signed executables viewed as potentially unwanted programs (PUPs) triggered alerts in multiple managed environments.
PUPs, or adware, are regarded more as a nuissance than malicious, as their role is typically to generate revenue for the developer by showing advertisement pop-ups, banners, or through browser redirects.
Huntress researchers say that the software was signed by a company called Dragon Boss Solutions LLC, involved in "search monetization research" activity and promoting various tools (e.g., Chromstera Browser, Chromnius, WorldWideWeb, Web Genius, Artificius Browser) labeled as browsers but detected as PUPs by multiple security solutions.
The Chromnius tool website
Source: Huntress
Beyond annoying users with ads and redirects, Huntress researchers say the browsers from Dragon Boss Solutions also feature an advanced update mechanism that deploys an antivirus killer.
Deactivating security
... continue reading