[MALWARE] Python-based adware spams ads and install malicious browser extensions

     Kaspersky’s computer security researchers discovered adware written in Python targeting Windows computers. This adware, nicknamed PBot (PythonBot) by researchers pollutes an infected computer with ads and installs a miner cryptocurrency as well as ad extensions into the browser.

Since last April, researchers have noticed 50,000 attempts to install themselves on computers. The most affected users are those in Kazakhstan, Latvia, Ukraine and Russia. According to Anton V. Ivanov of Kaspersky, “developers are constantly publishing new versions of this change, which complicates obscuring the script”. This PBot variant also includes a module that “updates scripts and downloads new browser extensions. In order to generate revenue”. the browser extension is used to spam banners on the page visited by the victim. The latter then redirects them to advertising sites. Meanwhile, the cryptominer uses the computing power (CPU) of the system to generate cryptocurrency.

PBot is distributed via malicious partner sites that redirect visitors to sponsored links. Then, if you click anywhere on the page, it opens a new browser window with a link to the PBot download page. In addition, if you click on the link, it drops an”update.hta” file, which, are able to install PBot on the computer once clicked. In recent years, PBot is the third malware that has been caught targeting Windows computers. On June 18th, the Zacinlo adware infected Windows PCs 10,8,7. As PBot, Zacinlo is able to perform multiple tasks including “spamming devices with ads, stealing user data and spying on victims by taking screenshots of their online activities”.