Home / malware

PDF

BrowserModifier:Win32/Foniad

First posted on 25 February 2019.
Source: Microsoft

Aliases :

There are no other names known for BrowserModifier:Win32/Foniad.

Explanation :

This highly polymorphic threat continually uses modified versions of itself to evade detection. However, it appears to consistently use the same file name:

xsetup.exe

This threat launches Chrome browser, opening URLs in several of the following domains in a series of redirects:

acinster.info aclassigned.info efishedo.info enclosely.info insupposity.info maraukog.info suggedin.info

It modifies the following registry key to allow specified URLs to display Chrome desktop notifications:

Key: HKEY_LOCAL_MACHINESOFTWAREPoliciesGoogleChrome
Value name: DefaultNotificationsSetting 

It then inserts values in the following registry key that allow URLs in specific domains (selected from the same list) to display Chrome desktop notifications:

HKEY_LOCAL_MACHINESOFTWAREPoliciesGoogleChromeNotificationsAllowedForUrls 

The domains accessed by this browser modifier might be generating revenue through ad impressions.

Last update 25 February 2019

 

TOP