PBot adware spams ads & installs cryptominer on Windows PCs

The IT security researchers at Kaspersky have discovered an adware written in Python language targeting Windows-based computers.

Dubbed PBot (PythonBot) by researchers; the adware not only spams an infected computer with advertisements but also installs cryptocurrency miner and ad extensions in the browser – This means the PBot is much more than a typical adware.

Originally, the adware was discovered over a year ago, however, according to Kaspersky researcher it has made a come back with additional capabilities and only in April, the company observed 50,000 attempts to install itself on computers.

The number of attempts is increasing and the most impacted users are from Kazakhstan, Latvia, Ukraine, and Russia.

“Developers are constantly releasing new versions of this modification, each of which complicates the script obfuscation,” wrote Kaspersky’s Anton V. Ivanov in a blog post. “Another distinctive feature of this Pbot variation is the presence of a module that updates scripts and downloads fresh browser extensions.”

The browser extension is used to spam banners on the page visited by the victim which redirects them to advertising sites to generate revenue – All this while the cryptominer uses computing power (CPU) of the system to generate cryptocurrency.

A Pop-up window with an ad clip on Kaspersky’s website (Image credit: Kaspersky)

Currently, PBot is being distributed through malicious partner sites who redirect visitors to sponsored links. Once there, clicking anywhere on the page opens a new browser window with a link with PBot download page. Moreover, clicking on the link delivers an “.hta” file which once clicked installs PBot on the computer.

“In pursuit of profit, adware owners often resort to installing their products on the sly, and PBot developers are no exception. They release new versions (and update them on user computers), complicating their obfuscation to bypass protection systems,” Ivanov concluded.

For more technical details visit Kaspersky’s blog post.

PBot is the third malware that has been caught in the past few days targeting Windows-based computers. A couple of days ago, MyloBot malware was found adding computers to a botnet of compromised IoT (Internet of Things) devices to carry out DDoS, malware and ransomware attacks.

On June 18th, Zacinlo adware was caught infecting Windows 10, Windows 7 and Windows 8 PCs. Like PBot, Zacinlo is also capable of multitasking including spamming devices with ads, stealing user data and spy on victims by taking screenshots of their online activities.

If you are a Windows user, watch out for PBot and refrain from visiting unknown sites or clicking links sent by unknown senders. Moreover, keep your computer updated and run a full-system scan.

Related Posts