The Magala adware trojan imitates user clicks in order to fraudulently earn marketing dollars from online businesses.
The Magala adware trojan imitates user clicks in order to fraudulently earn marketing dollars from online businesses.

A click fraud trojan called Magala is hijacking Internet Explorer browsers and opening virtual desktops on infected machines in order to artificially inflate various web pages' click counts.

The trojan, which Kaspersky Lab researchers recently discovered and classified as potentially unwanted adware, doesn't cause any significant harm to infected users, but it does cheat companies who pay for legitimate online ad services but instead are having their click stats boosted fraudulently by unscrupulous advertisers.

According to a Kaspersky Securelist blog post authored by malware analyst Sergey Yunakovsky, Magala determines which version of Internet Explorer is running on an infected machine. If the version is higher than IE 8, the trojan will initialize a virtual desktop in order to execute its operations, including setting up autorun, sending a report to a hardcoded URL and installing the primarily payload.

The trojan then loads the toolbar for the MapsGalaxy browser hijacker program and alters the system registry so that MapsGalaxy becomes the default home page.

"Magala then contacts the remote server and requests a list of search queries for the click counts that need to be boosted," Kaspersky explains in its blog post. "Using this list, the program begins to send the requested search queries and click on each of the first 10 links in the search results, with an internal of 10 seconds between each click."

From March through June 2017, Kaspersky detected the highest number of infections in Germany and the U.S. The company noted that typically in campaigns like this, the average cost per click is $0.07, with a cost per thousand ad impressions of $2.20. Such costs can ad up quickly for companies if their advertisers employ large botnets to create thousands of fake impressions.

"There are two characteristic features to this malware class which make it difficult to deal with," the Securelist blog post reads. "Firstly, there is the borderline functionality that blurs the lines between legitimate and malicious software. It has to be clarified whether a specific program is part of a secure and legal advertising campaign or if it is illegitimate software performing similar functions. A second important aspect of this class – its sheer quantity – also means a fundamentally different approach to any analysis is required."

Via email, Yunakovsky told SC Media that Kaspersky has been observing samples of Magala for "a while," but began researching the malware in earnest as of March 2017. While the Securelist blog post does not reference how the malware is initially distributed to victims, Yunakovsky noted that these types of trojans are usually "embedded in different tools, such as ‘speed booster.' ‘cleaners,' browsers, and so on. For aggressive adware and trojan-clickers it's not typical to spread via phishing or spam.”