Threat Research

PUP.Optional.AdMax

Securonix

PUP.Optional.AdMax is Malwarebytes’ detection name for a family of browser extensions that are promoted in a deceptive way as ad blockers. Malwarebytes blocks the sites promoting them and provides remediation steps to detect and remove the PUP.
#PUP.Optional.AdMax #Malwarebytes

Keypoints

  • The article defines PUP.Optional.AdMax as a family of browser extensions promoted in a misleading way as ad blockers.
  • The extensions claim to be adblockers but offer only limited functionality.
  • They are promoted in the webstore and often reappear under a different name if removed.
  • Malwarebytes protects users by blocking sites that promote these extensions.
  • Remediation steps show how Malwarebytes can detect and remove PUP.Optional.AdMax with a standard scan and quarantine process.
  • Users can add exclusions to allow the program or its components to run, via the Malwarebytes exclusions/Allow List workflow.
  • The removal log example reveals forensic artifact types (files, registry keys, and extension-related data) associated with PUP.Optional.AdMax.

MITRE Techniques

  • [T1036] Masquerading – The extensions are promoted as legitimate ad blockers and often return under another name after removal. Quote: “These extensions are promoted in misleading ways and by dubious methods. They are available in the webstore, and often return under another name if they are removed.”

Indicators of Compromise

  • [Domain] download-ready.net – context: site promoted by the PUP and blocked by Malwarebytes as seen in the article’s caption.
  • [File Hash] A28D78DD38E9F6E2DEFEED856F6680AA – context: example hash listed in the removal log for PUP.Optional.AdMax.
  • [File Hash] 30EE7454A338E78E63579F04411E2F8ED96E920904E88175569C9F75F13C5DB7 – context: another hash shown in the removal log.
  • [Registry Key] HKCUSOFTWAREGOOGLECHROMEPREFERENCEMACSDefaultextensions.settings|ggdpplfehdighdpleoegjefnpefgpgfh – context: artifact from the removal log.
  • [File Path] C:Users{username}AppDataLocalGoogleChromeUser DataDefaultLocal Extension Settingsggdpplfehdighdpleoegjefnpefgpgfh – context: local extension setting path observed in the log.
  • [File Path] C:Users{username}AppDataLocalGoogleChromeUser DataDefaultLocal Extension Settingsggdpplfehdighdpleoegjefnpefgpgfh – context: another file path artifact in the log.

Read more: https://www.malwarebytes.com/blog/detections/pup-optional-admax