Threat Research

AdsExhaust, a Newly Discovered Adware MasqueradingOculus Installer

Esentire

AdsExhaust is a newly discovered adware family masquerading as an Oculus installer, capable of data exfiltration, browser interaction, and revenue-directed ad manipulation. It propagates via a fake Oculus download, uses batch scripts and PowerShell for persistence, and hides activity with overlays while targeting Edge and browser ads. Hashtags: #AdsExhaust #OculusInstaller

Keypoints

  • AdsExhaust is distributed through a fake Oculus installer encountered via a malicious page after a web search.
  • The infection uses a ZIP containing the batch script ocu005cus-app.EXE, which retrieves backup.bat from a C2 server and drops update.bat, then creates multiple scheduled tasks.
  • The backup.bat drops VBS and PowerShell scripts and sets up persistence via additional scheduled tasks.
  • A PowerShell script runs in a 9-minute loop to collect system data, capture screenshots, monitor a log file, and exfiltrate data to a C2 server as a JSON payload.
  • AdsExhaust can inject browser interactions, click randomly, open tabs, and navigate to URLs embedded in the script, potentially manipulating ad revenue.
  • The malware uses a mutex (Globaledgeuniqueprocess), checks if Edge is running, overlays UI to hide activity, and performs keystroke simulations to aid automation.
  • Indicators of compromise include MD5 hashes, C2 URLs, batch/script filenames, and a persisted file path used for payloads and logs.

MITRE Techniques

  • [T1189] Drive-by Compromise – Infection began when the user performed a web search for the Oculus application and visited the malicious page serving the adware. “The infection began when the user performed a web search for the Oculus application and visited the malicious page serving the adware.”
  • [T1059.003] Windows Command Shell – The batch script is responsible for the following: “Retrieving an additional batch script called “backup.bat” (MD5: f089c37110f17041640910b0d49bfc5a) from the C2 server” and “Creating three tasks to run the batch files at different times.”
  • [T1105] Ingress Tool Transfer – The batch file retrieves “backup.bat” from the C2 server. “Retrieving an additional batch script called ‘backup.bat’ … from the C2 server”
  • [T1053.005] Scheduled Task – “Creating three tasks to run the batch files at different times.”
  • [T1059.001] PowerShell – The PowerShell script runs in a continuous loop for 9 minutes and performs data collection and exfiltration tasks. “The PowerShell script runs in a continuous loop for 9 minutes while performing the following tasks”
  • [T1113] Screen Capture – “Captures a screenshot of the host and saves it as a JPEG image in the temp directory.”
  • [T1056.003] Input Capture – “simulating keystrokes” to interact with browsers and automate actions.
  • [T1082] System Information Discovery – “Gathers basic system information like the operating system name, machine name, and username.”
  • [T1041] Exfiltration – “Constructs a JSON payload with the collected data… and attempts to send the JSON data to hxxp://us11[.]org/in.php.”
  • [T1564] Hide Artifacts – “creates an overlay … to hide its activities and deceive the user about the system’s real state.”
  • [T1036] Masquerading – The threat is distributed through a “fake Oculus installer application.”
  • [T1057] Process Discovery – “checks if the Microsoft Edge browser is running and determines the last time a user input occurred.”

Indicators of Compromise

  • [URL] C2/Download URLs – hxxp://us11[.]org/in.php, hxxp://us99[.]org/keywords.txt
  • [MD5] – f089c37110f17041640910b0d49bfc5a, 6cba1871dcf173af8c031a543b4ac561
  • [File Name] – oculus-app.EXE, backup.bat
  • [Path] – AppDataLocalwespmail
  • [File] – wespmail9.log
  • [Mutex] – Globaledgeuniqueprocess
  • [Domain] – ipinfo.io

Read more: https://www.esentire.com/blog/adsexhaust-a-newly-discovered-adware-masquerading-oculus-installer

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint