McAfee Labs

Brazilian PUP Campaign MegaRapido Shows Unwanted Behavior

0
By on Aug 22, 2014

Some applications go too far in their attempt to get installed on users systems. Many of these fall into the potential unwanted program (PUP) category. One of these is MegaRapido, which primarily targets Brazilians. A recent sample we tested tries to connect to protectmedia.net, which is already marked as suspicious by McAfee SiteAdvisor. Instead of directly parsing the URL, this PUP uses the goo.gl redirection service to obscure its aim.

1one

Late we have observed many other examples of suspicious software using goo.gl redirects to hide their tracks. Using goo.gl, PUPs and other malware try to evade static string-based URL checks by security vendors. On executing, a window appears asking the user to install DealPly add-ons.

2two

The only button provided is “Avançar” (Yes/I agree). Users have no option to decline this offer, abort the installation, or even minimize this window unless they click “Avançar.” This “forceful acceptance grant” is a borderline ransomware activity, which makes this software fall into the PUP category. After accepting the terms, users are asked to give contact details, only numbers from Brazil are deemed valid. However, even after providing a valid Brazilian number, an error message says that SMS sending to the particular number has failed.

1101

Not stopping here, the latest variants have also embedded hardcode that attempts to uninstall certain security products to evade detection.

9

 

We found other redirect strings hidden in the binary; one logged us directly into their web-tracking account.

The following stats are taken from the Extreme web-tracking account of the PUP author.

5five

From that account a lot of intelligence can be inferred. For example, we see the number of hits for this URL, more than 700,000 per month.

Next we see the top three culprits that lead users to the adware page. All of these are marked as suspicious by McAfee SiteAdvisor.

6six

We can see that this particular adware concentrates on Brazil, with more than 12 million hits.

7seven

And that 99.9% of the users who landed on this adware page were using Internet Explorer.

7

McAfee detects these variants as MegaRapido and Midia. Based on hit count, these applications are very prevalent in the wild, and although not technically “malware” they can still annoy users. Keep your antimalware solution and website reputation add-on up to date to avoid being trapped by these PUPs.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>