Category: General|Aug 7, 2019 | Author: Admin

DealPly Adware Escapes Detection By Abusing McAfee And Microsoft Services

Share on

Researchers have discovered a new adware variant that is capable of escaping antivirus detection. The DealPly adware possesses traits to bypass security measures. The adware abuses McAfee and Microsoft reputation services to elude detection.

DealPly Adware Evades Detection
Reportedly, researchers from Ensilo have presented their analysis regarding a new adware variant. Termed DealPly, the adware seamlessly avoids antivirus detection by abusing reputation services. The researchers elaborated their findings in a recent blog post.

As explained, the malware bears numerous features to dodge security protocols. These include VM detection, fingerprinting, and abusing Microsoft SmartScreen and McAfee WebAdvisor services to skip detection.

Delving into the technicalities associated with this malware reveals that the adware basically comprises of numerous modules that work in three different stages to execute the attack.

The most important of these modules is “WB_CH33.dll” which carries the core functionalities of the malware. It commands and executes the other modules, and performs a geolocation check to save country codes.

The DealPly attack begins when the adware reaches the victim device via otherwise legitimate software installers from services. The researchers caught this adware coupled with the installer for the photo-editing software ‘Fotor’.

The adware executes together with the installer as part of the installation process. It then replicates itself on the AppData directory and Windows Task Scheduler. This allows the adware to execute on an hourly basis, sending encrypted requests over HTTP to the C&C every time. The main module “WB_CH33.dll” receives the subsequent commands.

Once a valid request is sent to the server, It will respond with redirecting the client to This domain is pointing at one of Amazon’s S3 servers. The response contains instructions as well as the main module to be executed.

During this process, the adware also sends data to the C&C regarding VM detection and host fingerprinting.

Strategy To Evade Detection
As stated above, DealPly abuses Microsoft SmartScreen and McAfee WebAdvisor to remain undetected. Regarding the abuse of these services, the researchers stated in their blog post,

Microsoft SmartScreen and McAfee WebAdvisor provide threat intelligence verdicts on files and URLs and are free to use. With the data from these services, the life-span for the Adware’s installers and components can be prolonged as changes are required only once they are known to be blacklisted.

This constant querying enables the attackers to spot the adware’s detection rate by antivirus and create new samples when required. Thus, the malware attack becomes difficult to detect and stop.

The researchers fear that such evasive strategy may trigger advanced malware campaigns as well.

Let us know your thoughts in the comments.


Sponsored Ads:


Now everyone can test the new from Apple!

Category: Apple|Jul 16, 2024 | Author: Admin

Google reportedly is close to buying cybersecurity company Wiz for $23 billion

Category: Google|Jul 15, 2024 | Author: Admin

OpenAI whistleblowers ask SEC to investigate alleged restrictive non-disclosure agreements

Category: IT|Jul 14, 2024 | Author: Admin

Norwegian Vivaldi reaches out to Google

Category: IT|Jul 13, 2024 | Author: Admin

Soon, Apple fans may flee Google, and the other way around

Category: IT|Jul 12, 2024 | Author: Admin

Apple's iPhone change is fantastic for Norwegians - Vipps rejoices

Category: Apple|Jul 11, 2024 | Author: Admin

iPhone gets it five years after Android

Category: Google|Jul 10, 2024 | Author: Admin

This cannot continue - COMMENT

Category: IT|Jul 9, 2024 | Author: Admin

Major camera improvements in free update

Category: IT|Jul 8, 2024 | Author: Admin

The beginning of the end for Blu-ray

Category: IT|Jul 7, 2024 | Author: Admin

"We have won the battle against floppy disks!"

Category: IT|Jul 6, 2024 | Author: Admin

33 million mobile numbers leaked

Category: IT|Jul 5, 2024 | Author: Admin

This is great iPhone 16 news

Category: Apple|Jul 4, 2024 | Author: Admin

Pixel gets exclusive "Google AI"

Category: Google|Jul 3, 2024 | Author: Admin

Who shops them?

Category: IT|Jul 2, 2024 | Author: Admin