FYI...
PUPs Masquerade as Installer for Antivirus and Anti-Adware
- https://blog.malwarebytes.org/online...d-anti-adware/
Dec 18, 2015 - "... two pieces of programs claiming to be two different security software, being housed in a domain purporting to be a safe antivirus download hub. The destination in question, however, has been known to serve a -fake- Malwarebytes installer. The domain is antivirus-dld[DOT]com, and users must avoid visiting it or -block- it with their browsers. Below are screenshots of its subdomains where users can supposedly download the AVG and AdwCleaner programs:
1. https://blog.malwarebytes.org/wp-con...015/12/avg.png
...
2. https://blog.malwarebytes.org/wp-con...adwcleaner.png
... -both- installers show differences in file names and hashes, they exhibit more identical markings than what we see on the surface... AV engines detect these as variants of the SoftPulse family... As this “Thank you” GUI window is displayed, the supposed program, in this case AVG, is then downloaded and installed automatically. Users can’t see this happening at first because the installer’s GUI is overlaying the real program’s GUI:
> https://blog.malwarebytes.org/wp-con...5/12/avg05.png
Immediately after installation, the default browser opens to reveal an advertisement of an online dating site. We reckon that various ads are randomized:
> https://blog.malwarebytes.org/wp-con...5/12/avg06.png
Clicking -any- of these links directs users to magno2soft[DOT]com, a domain that the Google Chrome browser blocks, tagging it as malicious. Additionally, we did a quick look up of their “24/7 free support” phone number—(+1) 844 326 2917—to see if something comes up. It turns out that this number is also used by -other- domains... We have also noted that their contents are also identical to Magno2soft’s. Be advised to -not- visit these sites as some of them automatically download an executable file... Domains like antivirus-dld[DOT]com may only appear legitimate, but they’re just hubs distributing pieces of software you may not want lurking in your hard drive."
antivirus-dld[DOT]com: 23.229.195.163: https://www.virustotal.com/en/ip-add...3/information/
magno2soft[DOT]com: 178.33.154.37: https://www.virustotal.com/en/ip-add...7/information/
> https://www.virustotal.com/en/url/58...9b8c/analysis/