McAfee Labs Threat Advisory Adware-SearchSuite

June 22, 2018

McAfee Labs periodically publishes Threat Advisories to provide customers with a detailed analysis of prevalent malware. This Threat Advisory contains behavioral information, characteristics and symptoms that may be used to mitigate or discover this threat, and suggestions for mitigation in addition to the coverage provided by the DATs.

To receive a notification when a Threat Advisory is published by McAfee Labs, select to receive “Malware and Threat Reports” at the following URL: https://www.mcafee.com/enterprise/en-us/sns/preferences/sns-form.html

Summary Detailed information about the threat, its propagation, characteristics and mitigation are in the following sections:

 Infection and Propagation Vectors  Mitigation  Characteristics and Symptoms  Restart Mechanism  McAfee Foundstone Services

The Threat Intelligence Library contains the date that the above signatures were most recently updated. Please review the above mentioned Threat Library for the most up to date coverage information.

Infection and Propagation Vectors Adware-SearchSuite is a "potentially unwanted program" (PUP). PUPs are any piece of software that a reasonably security- or privacy-minded computer user may want to be informed of and, in some cases, remove. PUPs are often made by a legitimate corporate entity for some beneficial purpose, but they alter the security state of the computer on which they are installed, or the privacy posture of the user of the system, such that most users will want to be aware of them.

Mitigation Mitigating the threat at multiple levels like file, registry and URL could be achieved at various layers of McAfee products. Browse the product guidelines available here (click Knowledge Center, and select Product Documentation from the Support Content list) to mitigate the threats based on the behavior described in the Characteristics and symptoms section. Refer to the following KB articles to configure Access Protection rules in VirusScan Enterprise:

How to create a user-defined Access Protection Rule from a VSE 8.x or ePO 5.x console How to use wildcards when creating exclusions in VirusScan Enterprise 8.x If possible or allowed by company policies, enable access protection for all critical Windows features like denying changes to CMD prompt, Task Manager and critical windows registry keys.

Besides that, always enable the protections for VSE own files and registry keys because this will protect the product from being infected or disabled.

HIPS  To blacklist applications using a Host Intrusion Prevention custom signature, refer to KB71329.  To create an application blocking rules policies to prevent the binary from running, refer to KB71794.  To create an application blocking rules policies that prevents a specific executable from hooking any other executable, refer to KB71794. *** Disclaimer: Usage of *.* in access protection rule would prevent all types of files from running and being accessed from that specific location. If specifying a process path under “Processes to Include”, the use of wildcards for Folder Names may lead to unexpected behavior. Users are requested to make this rule as specific as possible.

The basic mitigation method for these spread methods are the usual best practices in network security. By following them and training your users to follow them, the chance of getting infected by Ransomware is lowered considerably:

 Do not download cracked or pirated applications, especially from P2P networks. They usually come with more than the original application, and there are several malware families that automatically share copies of themselves on common P2P networks with suggestive names like cracks for well-known applications.  Avoid opening attachments in e-mails from untrusted sources. If your company allows, implement rules to block attachments with common executable extensions.  Avoid opening links in e-mail and chat windows from untrusted sources, and double check them if they are sent by a trusted connection. Sometimes an infected machine may send links to all contacts found in the e-mail/chat application, which would appear to the destination as if coming from a trusted contact  Keep all your software up-to-date. That includes your Operating System, your office package, as well as your browser and any plugin you may be using. Disable any unnecessary plugins to avoid the extra attack surface.  Keep your Antivirus definitions up-to-date.

Characteristics and Symptoms Adware-SearchSuite is technically not a virus, but it does exhibit plenty of malicious traits, such as rootkit capabilities to hook deep into the operating system, browser hijacking, and in general just interfering with the user experience. The industry generally refers to it as a “PUP” or potentially unwanted program.

The Adware-SearchSuite infection is used to boost advertising revenue, as in the use of blackhat SEO, to inflate a site’s page ranking in search results.

Adware-SearchSuite could be bundled with a freeware software (Example: video recording/streaming, download- managers or PDF creators). This Potentially Unwanted Program is also bundled within the custom installer on many download sites (examples: CNET, Brothersoft or Softonic).

Adware-SearchSuite is an ad-supported (users may see additional banner, search, pop-up, pop-under, interstitial and in-text link advertisements) cross web browser plugin for Internet Explorer (BHO) and Firefox/Chrome (plugin) and distributed through various monetization platforms during installation.

The browser extension includes various features that will modify the default or custom settings of the browser including the home page, search settings and in some cases will modify Internet Explorer’s load time threshold, place a lock file within Firefox to prevent competing software from changing its settings, as well as disable the browser’s Content Security Policy in order to allow for cross site scripting of the plugin.

Upon execution Adware-SearchSuite tries to drop files into the below location:

 C:\Program Files\Movies App\Datamngr\apcrtldr.dll  C:\Program Files\Movies App\Datamngr\Datamngr.dll  C:\Program Files\Movies App\Datamngr\DatamngrCoordinator.exe  C:\Program Files\Movies App\Datamngr\DatamngrUI.exe  C:\Program Files\Movies App\Datamngr\favicon.ico  C:\Program Files\Movies App\Datamngr\Helper.dll  C:\Program Files\Movies App\Datamngr\IEBHO.dll  C:\Program Files\Movies App\Datamngr\Internet Explorer Settings.exe  C:\Program Files\Movies App\Datamngr\mgrldr.dll  C:\Program Files\Movies App\Datamngr\setmgrc2.cfg We have observed two different folder structures so far.

 C:\Program Files\Movies App  C:\Program Files\Setting Manager

It also runs services to protect its own files.

 HKLM\SYSTEM\CurrentControlSet\services\DatamngrCoordinator\ImagePath: "C:\Program Files\Movies App\Datamngr\DatamngrCoordinator.exe"  HKLM\SYSTEM\CurrentControlSet\services\DatamngrCoordinator\DisplayName: "Datamngr Coordinator"  HKLM\SYSTEM\CurrentControlSet\services\DatamngrCoordinator\ObjectName: "LocalSystem"  HKLM\SYSTEM\CurrentControlSet\services\DatamngrCoordinator\Description: "Coordinates Datamngr modules functionality"

The following registry values have been added to the system.

 HKLM\SOFTWARE\Classes\CLSID\{A40DC6C5-79D0-4ca8-A185-8FF989AF1115}\: "Data Manager"  HKLM\SOFTWARE\Classes\CLSID\{A40DC6C5-79D0-4ca8-A185-8FF989AF1115}\InprocServer32\: "C:\PROGRA~1\MOVIES~1\Datamngr\IEBHO.dll"  HKLM\SOFTWARE\Classes\CLSID\{A40DC6C5-79D0-4ca8-A185- 8FF989AF1115}\InprocServer32\ThreadingModel: "Apartment"  HKLM\SOFTWARE\Classes\CLSID\{A40DC6C5-79D0-4ca8-A185-8FF989AF1115}\ProgID\: "SearchQUIEHelper.UrlHelper.1"  HKLM\SOFTWARE\Classes\CLSID\{A40DC6C5-79D0-4ca8-A185- 8FF989AF1115}\VersionIndependentProgID\: "SearchQUIEHelper.UrlHelper"  HKLM\SOFTWARE\Classes\CLSID\{c0caa5fe-7c9c-4dca-a265-63cf55379d1a}\: "Movies Search App (Dist. by Bandoo Media, Inc.)"  HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{9BB47C17-9C68-4BB3-B188- DD9AF0FD2406}\FaviconPath: "C:\Program Files\Movies App\Datamngr\favicon.ico"  HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{c0caa5fe-7c9c-4dca-a265-63cf55379d1a}: "Movies Search App (Dist. by Bandoo Media, Inc.)"

Restart Mechanism The following registry entry would enable the Adware-SearchSuite to execute every time when Windows starts.

 HKLM\SYSTEM\CurrentControlSet\services\DatamngrCoordinator\ImagePath: "C:\Program Files\Movies App\Datamngr\DatamngrCoordinator.exe"  HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls\x86: "C:\Program Files\Movies App\Datamngr\apcrtldr.dll"  HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDlls\x64: "c:\program files\movies app\datamngr\x64\apcrtldr.dll"

Getting Help from the McAfee Foundstone Services team This document is intended to provide a summary of current intelligence and best practices to ensure the highest level of protection from your McAfee security solution. The McAfee Foundstone Services team offers a full range of strategic and technical consulting services that can further help to ensure you identify security risk and build effective solutions to remediate security vulnerabilities.

You can reach them here: https://www.mcafee.com/enterprise/en-us/services/foundstone-services.html

This Advisory is for the education and convenience of McAfee customers. We try to ensure the accuracy, relevance, and timeliness of the information and events described; they are subject to change without notice.

Copyright 2018 McAfee, Inc. All rights reserved.