The Python code-based PBot (PythonBot) adware family, much like its reptilian cousins, has continued to grow from when it was first spotted last year adding several new features, including a cryptocurrency miner.
PBot has traditionally been used to place adware on its victim’s devices, but one new member of the family instead installed cpuminer that can be used to generate bitcoin and litecoin, according to Kaspersky Labs. The miner was first spotted in September 2017.
Two other new versions of PBot found are still pushing adware. Each is usually distributed through a partner site where scripts are used to pusparth visitors to specific websites. A typical visit for a target is for he or she to arrive at such a site and once they click on any part of the page a new browser window pops up that links to an intermediate link. This then pushes the victim along to a PBot download page that injects and runs the adware.
“In this case, the partner program acts as an intermediary between the developers of this software and the owners of partner sites. The owners of partner sites rarely check what kind of software is installed on the user’s computer, and as practice shows, there are a lot of advertising applications among them,” said Anton Ivanov, Kaspersky Lab’s Unwanted Software Research Group.
At this stage, the victim will come across one of the two new versions of PBot. The first will attempt to place a malicious DLL into the browser using a JS script to display ads on web pages. The other installs ad extensions into the browser. One distinctive feature of this variant is the presence of a module that updates scripts and downloads fresh browser extensions. These normally just ad banner ads to the page that redirect the person to the advertising sites.
PBot is mainly being used against targets in Russia Ukraine, and Kazakhstan with Kaspersky noting 50,000 installation attempts worldwide in April alone. The attackers are not ignoring other nations. Almost every country has been hit to some extent.