Home / malware BrowserModifier:Win32/Soctuseer
First posted on 09 September 2016.
Source: MicrosoftAliases :
There are no other names known for BrowserModifier:Win32/Soctuseer.
Explanation :
Installation
This browser modifier can be installed on your PC when you download other software from third-party websites.
Payload
This threat displays advertisements usually with discounted or lower prices, related to the product that the user is searching from popular online shopping websites. The advertisements have the attribution name of "Social2Search".
It uses two ways to display advertisements:
- Using a NetFilter driver
- Directly injecting a DLL to the browser's process
We have seen it display advertisements using the following browsers:
- Google Chrome
- Internet Explorer
- Microsoft Edge
- Mozilla Firefox
Example advertisements:
Google Chrome:
Internet Explorer:
Microsoft Edge:
Mozilla Firefox:
Adds a service
This threat creates a service that automatically runs on every system startup.
It creates a randomly named service but will have the same description.
Example service:
Adds files
This threat uses a random 32 hex-digit as a folder name that it adds under Program Files. Most of its component files also used the same format as file names.
Adds a scheduled task
Some versions of this threat add a scheduled task to execute a component PowerShell script. This script checks and downloads updates. It uses the same 32 hex-digit format as the task name.
Hides dropped files
We have seen some versions of this threat that also add a driver component to hide its added files. It only allows common browser and system file process names to access its files.
Adds an uninstall option
This threat adds an uninstallation option that users can use to remove the software from the system.
Analysis by James Patrick DeeLast update 09 September 2016
