• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

Law enforcement operations seized BlackSuit ransomware gang’s darknet sites

 | 

Arizona woman sentenced for aiding North Korea in U.S. IT job fraud scheme

 | 

Operation CargoTalon targets Russia’s aerospace with EAGLET malware,

 | 

Unpatched flaw in EoL LG LNV5110R cameras lets hackers gain Admin access

 | 

Koske, a new AI-Generated Linux malware appears in the threat landscape

 | 

Mitel patches critical MiVoice MX-ONE Auth bypass flaw

 | 

Coyote malware is first-ever malware abusing Windows UI Automation

 | 

SonicWall fixed critical flaw in SMA 100 devices exploited in Overstep malware attacks

 | 

DSPM & AI Are Booming: $17.87B and $4.8T Markets by 2033

 | 

Stealth backdoor found in WordPress mu-Plugins folder

 | 

U.S. CISA adds CrushFTP, Google Chromium, and SysAid flaws to its Known Exploited Vulnerabilities catalog

 | 

U.S. CISA urges FCEB agencies to fix two Microsoft SharePoint flaws immediately and added them to its Known Exploited Vulnerabilities catalog

 | 

Sophos fixed two critical Sophos Firewall vulnerabilities

 | 

French Authorities confirm XSS.is admin arrested in Ukraine

 | 

Microsoft linked attacks on SharePoint flaws to China-nexus actors

 | 

Cisco confirms active exploitation of ISE and ISE-PIC flaws

 | 

SharePoint under fire: new ToolShell attacks target enterprises

 | 

CrushFTP zero-day actively exploited at least since July 18

 | 

Hardcoded credentials found in HPE Aruba Instant On Wi-Fi devices

 | 

MuddyWater deploys new DCHSpy variants amid Iran-Israel conflict

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Malware
  • Security
  • How Coremex malware monetizes search engine Hijacking

How Coremex malware monetizes search engine Hijacking

Pierluigi Paganini April 02, 2014

F-Secure has identified a malware dubbed Coremex that takes advantage of plugin functionality provided by browsers to hijack search engine results.

Search engine are a strategic component in the successful execution of any attacks, we saw in the past Black SEO campaigns conducted with the primary intent to provide results that help the attackers to spread the malicious agents.

The security community in the past has detected numerous malware that was specifically designed to target search engine results, many of them work as browser extensions and are able to modify realtime the results. Recently security experts at F-Secure has detected a new family of malware, named Coremex, which exploits plugin functionality provided by common browsers to hijack the results proposed by principal search engine.

The Coremex malware uses a single NullsoftInstaller executable file which performs the dual function dropper and downloader that was used by attackers also to collect basic information (e.g. username, computer name, processor, memory) from the infected machine. The experts discovered within the source code of Coremex the IP address of the C&C server (178.86.17.32), the information gathered by the malicious agent is encrypted with RC4 with a key of “2AJQ8NA4” and the final result will be encoded with Base64.

The authors of the Coremex have also implemented anti-sandbox features to prevent the execution of the malware in virtual environment to study its composition and behavior.

“There are some anti-sandbox features implemented by Coremex that prevents it from downloading the main payloads, such as the browser extension scripts, from the C&C server. These features consist of checking blacklisted process names and looking for well-known sandbox fingerprints such as a “VMware” string on the infected machine by using Windows Management Instrumentation (WMI).”

The expert at F-Secure noted that the malware once in execution download additional payloads from the multiple C&C servers:

•  178.250.245.198
•  174.127.82.213
•  192.154.94.253

Once the malicious payload is installed, the Coremex browser extension will reside in the browser process, the malware uses highly obfuscated JavaScript making hard its analysis. JavaScript code is used to register a couple of events using the API provided by the browser, the first one to contact fake search engines, the second one to parse the URL victims visit.

Coremex used to hijack victims to the following bogus search engine websites:

•  onlinetrack.org
•  zvtracker.com

The callback function triggered by the second listener analyzes search queries entered by the victims using the following search engines:

•  Google
•  Bing
•  Yahoo
•  ASK
•  AOL
•  AVG
•  MyWebSearch
•  Search-Results
•  Comcast
•  Delta-Search

The malware analyzes the requests made by victims and uses a JSON structure to compose the query that it encrypts with RC4 algorithm with key “http”, encoding the results with Base64. The Base64 encoded string will be sent to a search engine platform managed by attackers:

esearchpage.com/s?q=<RC4_Base64_Encoded_search_query>
esearchpage.org/s?q=<RC4_Base64_Encoded_search_query>

The platform responds with an encrypted JSON structure containing the destination websites that will determine where a webpage that has ads-like URL will be redirected to.

The decrypted JSON object might look like:

Coremex JSON object

 

The following screenshot shows Coremex script in action when an ad’s URL is clicked by the victim, which leads to the ad’s page being hijacked and redirected to author’s intended destination website.

Coremex hijack search engine results

The attacker also used IFRAME injection to the hijacked ad’s page, the intent of malware authors was to take advantage of popular online advertising services.

Pierluigi Paganini

(Security Affairs –  search engine, malware)


facebook linkedin twitter

Black hat search-engine Coremex Cybercrime exploit Google Hacking malware search engine SEO

you might also like

Pierluigi Paganini July 26, 2025
Law enforcement operations seized BlackSuit ransomware gang’s darknet sites
Read more
Pierluigi Paganini July 26, 2025
Arizona woman sentenced for aiding North Korea in U.S. IT job fraud scheme
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    Law enforcement operations seized BlackSuit ransomware gang’s darknet sites

    Cyber Crime / July 26, 2025

    Arizona woman sentenced for aiding North Korea in U.S. IT job fraud scheme

    Intelligence / July 26, 2025

    Operation CargoTalon targets Russia’s aerospace with EAGLET malware,

    Intelligence / July 25, 2025

    Unpatched flaw in EoL LG LNV5110R cameras lets hackers gain Admin access

    Security / July 25, 2025

    Koske, a new AI-Generated Linux malware appears in the threat landscape

    Malware / July 25, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT