How Coremex malware monetizes search engine Hijacking

F-Secure has identified a malware dubbed Coremex that takes advantage of plugin functionality provided by browsers to hijack search engine results.

Search engine are a strategic component in the successful execution of any attacks, we saw in the past Black SEO campaigns conducted with the primary intent to provide results that help the attackers to spread the malicious agents.

The security community in the past has detected numerous malware that was specifically designed to target search engine results, many of them work as browser extensions and are able to modify realtime the results. Recently security experts at F-Secure has detected a new family of malware, named Coremex, which exploits plugin functionality provided by common browsers to hijack the results proposed by principal search engine.

The Coremex malware uses a single NullsoftInstaller executable file which performs the dual function dropper and downloader that was used by attackers also to collect basic information (e.g. username, computer name, processor, memory) from the infected machine. The experts discovered within the source code of Coremex the IP address of the C&C server (178.86.17.32), the information gathered by the malicious agent is encrypted with RC4 with a key of “2AJQ8NA4” and the final result will be encoded with Base64.

The authors of the Coremex have also implemented anti-sandbox features to prevent the execution of the malware in virtual environment to study its composition and behavior.

“There are some anti-sandbox features implemented by Coremex that prevents it from downloading the main payloads, such as the browser extension scripts, from the C&C server. These features consist of checking blacklisted process names and looking for well-known sandbox fingerprints such as a “VMware” string on the infected machine by using Windows Management Instrumentation (WMI).”

The expert at F-Secure noted that the malware once in execution download additional payloads from the multiple C&C servers:

•  178.250.245.198
•  174.127.82.213
•  192.154.94.253

Once the malicious payload is installed, the Coremex browser extension will reside in the browser process, the malware uses highly obfuscated JavaScript making hard its analysis. JavaScript code is used to register a couple of events using the API provided by the browser, the first one to contact fake search engines, the second one to parse the URL victims visit.

Coremex used to hijack victims to the following bogus search engine websites:

•  onlinetrack.org
•  zvtracker.com

The callback function triggered by the second listener analyzes search queries entered by the victims using the following search engines:

•  Google
•  Bing
•  Yahoo
•  ASK
•  AOL
•  AVG
•  MyWebSearch
•  Search-Results
•  Comcast
•  Delta-Search

The malware analyzes the requests made by victims and uses a JSON structure to compose the query that it encrypts with RC4 algorithm with key “http”, encoding the results with Base64. The Base64 encoded string will be sent to a search engine platform managed by attackers:

esearchpage.com/s?q=<RC4_Base64_Encoded_search_query>
esearchpage.org/s?q=<RC4_Base64_Encoded_search_query>

The platform responds with an encrypted JSON structure containing the destination websites that will determine where a webpage that has ads-like URL will be redirected to.

The decrypted JSON object might look like:

 

The following screenshot shows Coremex script in action when an ad’s URL is clicked by the victim, which leads to the ad’s page being hijacked and redirected to author’s intended destination website.

The attacker also used IFRAME injection to the hijacked ad’s page, the intent of malware authors was to take advantage of popular online advertising services.

Pierluigi Paganini

(Security Affairs –  search engine, malware)