{
	"id": "e623bfff-9ea9-4505-a4ff-621e61b11af4",
	"created_at": "2026-04-06T03:35:59.879663Z",
	"updated_at": "2026-04-10T13:12:40.253217Z",
	"deleted_at": null,
	"sha1_hash": "050fbdf9d997c997844b61a9252302f739d5f5b3",
	"title": "Ad blocker with miner included",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 189390,
	"plain_text": "Ad blocker with miner included\r\nBy Anton Kuzmenko\r\nPublished: 2021-03-10 · Archived: 2026-04-06 03:19:30 UTC\r\nSome time ago, we discovered a number of fake apps delivering a Monero cryptocurrency miner to user\r\ncomputers. They are distributed through malicious websites that may turn up in the victim’s search results. By the\r\nlook of it, it appears to be a continuation of the summer campaign covered by our colleagues from Avast. Back\r\nthen, cybercriminals distributed malware under the guise of the Malwarebytes antivirus installer.\r\nIn the latest campaign, we have seen several apps impersonated by the malware: the ad blockers AdShield and\r\nNetshield, as well as the OpenDNS service. This article analyzes only fake AdShield app, but all the other cases\r\nfollow the same scenario.\r\nTechnical details\r\nDistributed under the name adshield[.]pro, the malware impersonates the Windows version of the AdShield\r\nmobile ad blocker. After the user starts the program, it changes the DNS settings on the device so that all domains\r\nare resolved through the attackers’ servers, which, in turn, prevent users from accessing certain antivirus sites,\r\nsuch as Malwarebytes.com.\r\nAfter substituting the DNS servers, the malware starts updating itself by running update.exe with the argument\r\nself-upgrade (“C:Program Files (x86)AdShieldupdater.exe” -self-upgrade). Updater.exe contacts C\u0026C and sends\r\ndata about the infected machine and information about the start of the installation. Some of the lines in the\r\nexecutable file, including the line with the C\u0026C server address, are encrypted to make static detection more\r\ndifficult.\r\nhttps://securelist.com/ad-blocker-with-miner-included/101105/\r\nPage 1 of 5\n\nUpdater.exe code snippet containing the encrypted address\r\nUpdater.exe downloads from the site transmissionbt[.]org and runs a modified version of the Transmission torrent\r\nclient (the original distribution can be found at transmissionbt.com). The modified program sends installation\r\ninformation together with the ID of the infected machine to C\u0026C, and downloads a mining module from it.\r\nNotifying C\u0026C about the successful installation\r\nThe mining module is made up of legitimate auxiliary libraries, an encrypted miner file named data.pak, the\r\nexecutable file flock.exe and the “license” file lic.data. The latter contains a SHA-256 hexadecimal hash of some\r\nparameters of the machine for which the module is intended and the data from the data.pak file. The modified\r\nTransmission client runs flock.exe, which first of all calculates the hash of the parameters of the infected computer\r\nand the data from the data.pak file, and then compares it with the hash from the lic.data file. This is necessary\r\nhttps://securelist.com/ad-blocker-with-miner-included/101105/\r\nPage 2 of 5\n\nbecause C\u0026C generates a unique set of files for each machine so as to hinder static detection and prevent the\r\nminer from running and being analyzed in various virtual environments.\r\nIf the hashes do not match, the execution stops. Otherwise, flock.exe decrypts the data from the data.pak file using\r\nthe AES-128-CTR algorithm, whereby the decryption key and initialization vector are assembled from several\r\nparts stored in the sample code. The decryption results in a Qt binary resource file that contains two executable\r\nfiles: the open-source XMRig miner (the same one used in the summer attack) and the bxsdk64.dll library.\r\nDecrypted data.pak file\r\nThe bxsdk64.dll file is part of the BoxedApp SDK for creating a virtual environment, but in this case it is used to\r\nrun the miner under the guise of the legitimate app find.exe. The point is that to implement its functionality, bxsdk\r\nintercepts calls to system functions and can manipulate their execution. In this case, the\r\nBoxedAppSDK_CreateVirtualFileA function creates the find.exe file (which is a copy of the\r\nC:WindowsSystem32find.exe file) in the C:ProgramDataFlock directory. All further manipulations with find.exe\r\noccur in RAM and do not affect the file on the disk. When the find.exe process starts, bxsdk intercepts the event\r\nand runs the file from the C:ProgramDataFlock directory; then, using the WriteProcessMemory and\r\nCreateRemoteThread functions, it injects the decrypted miner body into the process memory.\r\nTo ensure the continuous operation of the miner, a servicecheck_XX task is created in Windows Task Scheduler,\r\nwhere XX are random numbers. The task runs flock.exe with the argument minimize.\r\nStatistics\r\nAccording to data from Kaspersky Security Network, at the time of preparing this article, since the beginning of\r\nFebruary 2021, there have been attempts to install fake apps on the devices of more than 7 thousand users. At the\r\npeak of the current campaign, more than 2,500 unique users per day were attacked, with most of the victims\r\nlocated in Russia and CIS countries.\r\nhttps://securelist.com/ad-blocker-with-miner-included/101105/\r\nPage 3 of 5\n\nNumber of users attacked, August 2020 – February 2021 (download)\r\nKaspersky’s security solutions detect the above-described threats with the following verdicts:\r\nWin64.Patched.netyyk\r\nWin32.DNSChanger.aaox\r\nWin64.Miner.gen\r\nHEUR:Trojan.Multi.Miner.gen\r\nHow to remove the miner\r\nIf the QtWinExtras.dll file is detected on your device, reinstall Malwarebytes. If Malwarebytes is not in the list of\r\napps, you need to delete all the following folders that are on the disk:\r\n%program files%malwarebytes\r\nprogram files (x86)malwarebytes\r\n%windir%.oldprogram filesmalwarebytes\r\n%windir%.oldprogram files (x86)malwarebytes\r\nIf flock.exe is detected on your device:\r\nhttps://securelist.com/ad-blocker-with-miner-included/101105/\r\nPage 4 of 5\n\nUninstall NetshieldKit, AdShield, uninstall or reinstall OpenDNS (whichever is installed on your device).\r\nReinstall the Transmission torrent client or uninstall it if you don’t need it.\r\nDelete the folders (if present on the disk)\r\nC:ProgramDataFlock\r\n%allusersprofile%start menuprogramsstartupflock\r\n%allusersprofile%start menuprogramsstartupflock2\r\nDelete the servicecheck_XX task (where XX are random numbers) in Windows Task Scheduler.\r\nIOC\r\nDNS\r\n142[.]4[.]214[.]15\r\n185[.]201[.]47[.]42\r\n176[.]31[.]103[.]74\r\n37[.]59[.]58[.]122\r\n185[.]192[.]111[.]210\r\nDomains\r\nadshield[.]pro\r\ntransmissionbt[.]org\r\nnetshieldkit[.]com\r\nopendns[.]info\r\nHashes\r\n5aa0cda743e5fbd1d0315b686e5e6024 (AdShield installer)\r\n81BC965E07A0D6C9E3EB0124CDF97AA2 (updater.exe)\r\nac9e74ef5ccab1d5c2bdd9c74bb798cc (modified Transmission installer)\r\n9E989EF2A8D4BC5BA1421143AAD59A47 (NetShield installer)\r\n2156F6E4DF941600FE3F44D07109354E (OpenDNS installer)\r\nSource: https://securelist.com/ad-blocker-with-miner-included/101105/\r\nhttps://securelist.com/ad-blocker-with-miner-included/101105/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://securelist.com/ad-blocker-with-miner-included/101105/"
	],
	"report_names": [
		"101105"
	],
	"threat_actors": [],
	"ts_created_at": 1775446559,
	"ts_updated_at": 1775826760,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/050fbdf9d997c997844b61a9252302f739d5f5b3.pdf",
		"text": "https://archive.orkl.eu/050fbdf9d997c997844b61a9252302f739d5f5b3.txt",
		"img": "https://archive.orkl.eu/050fbdf9d997c997844b61a9252302f739d5f5b3.jpg"
	}
}