A supposedly legitimate French software firm, Tuto4PC, has actually infected an estimated 12 million PC users with a generic trojan disguised as downloadable utilities programs, according to an in-depth analysis from Cisco's Talos research division.
The so-called utilities software creates a backdoor on infected machines to automatically deliver payloads with spyware and adware capabilities, explained blog post authors and researchers Warren Mercer and Matthew Molyett. Moreover, it attempts to detect antivirus software, forensics tools, sandbox environments and other indicators that might block or analyze the malicious programs.
For the above reasons, Talos has blocked the software from its own corporate customers and reclassified the threat as the malware “Wizz,” named after WizzLabs, another business linked to Tuto4PC that shares much of the same infrastructure.
Following a recent marked increase in generic Trojan activity, the Talos team analyzed one particular campaign that repetitively used the Wizz naming convention over approximately 7,000 unique samples of malware. Talos found that the malware contains encrypted payloads that only fully execute if it cannot detect any machine defenses that could potentially thwart the campaign. For example, Wizz checks for install and uninstall keys that are commonly associated with virtual machine environments and debugging tools, and also checks actively running processes for monitoring, debugging and remote access tools.
Talso used a specially customized sandbox to conceal its detection and analysis capabilities. With Wizz now fully executed, the researchers observed as the malicious code contacted a command and control server (belonging to WizzLabs) via an encrypted channel to confirm a successful installation.
“The author performs all of these functions in such a way that the average user is extremely unlikely to notice them, which results in a stealth collection process. This leads one to conclude that the author has spent a lot of time exploring and implementing ways to avoid detection,” the report said.
Further dissection of the malware led to the discovery of additional infections across the globe, including in the U.S., Australia, Japan, Spain, France, New Zealand and the U.K. A key commonality among them was the presence of an adware program called “OneSoftPerDay,” which attempts to coax victims into downloading a widget that gives them cheap or free software. This dubious software was signed by a certificate owned by TuTo4PC, the report stated.
Once OneSoftPerDay executes — the adware also looks for VM and sandbox environments — it automatically downloads another program called System Healer, without any user interaction. Talos identified System Healer as a well known potentially unwanted program (PUP), and explained in its report that the application sends a myriad of security and privacy alerts designed to scare the user into purchasing additional security software.
“Our instance revealed we had ‘12 System issues' and ‘68 registry items were found' with a finishing touch of ‘privacy concerns were found,'” said the report. But “what the application failed to do here was to actually deliver any details into these findings.”
The investigation ultimately led researchers to multiple domains owned by TuTo4PC, despite attempts to obscure domain information, said Talos. According to the report, these domains are of questionable legitimacy — typically, users visit these websites because they feature product offers such as “PC Clean” and “Free Game,” but they end up downloading Wizz and other malware, thus beginning the infection process.