U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Redirector.Paco, a Million-Machine Clickfraud Botnet

According to the experts at Bitdefender an HTTPS hijacking click-fraud botnet dubbed Redirector.Paco infected almost 1 million devices since now. Security experts at Bitdefender spotted a new click fraud botnet dubbed Redirector.Paco that has been around at least since September 2014 and has already infected more than 900,000 devices over the years. Crooks behind the Redirector.Paco aimed to create a clickbot that […]

Redirector.Paco, a Million-Machine Clickfraud Botnet

According to the experts at Bitdefender an HTTPS hijacking click-fraud botnet dubbed Redirector.Paco infected almost 1 million devices since now.

Security experts at Bitdefender spotted a new click fraud botnet dubbed Redirector.Paco that has been around at least since September 2014 and has already infected more than 900,000 devices over the years.

Crooks behind the Redirector.Paco aimed to create a clickbot that is able to redirect all traffic performed when using a search engine (i.e. Google, Yahoo or Bing) and to replace the legitimate results with others decided by hackers to earn money from the AdSense program.

“To redirect the traffic the malware performs a few simple registry tweaks. It modifies the “AutoConfigURL” and “AutoConfigProxy” values from the “Internet Settings” registry key so that for every request that a user makes, a PAC (Proxy auto-config) file will be queried. This file tells the browser to redirect the traffic to a different address.” states a blog post from BitDefender.

The experts highlighted the existence of some indicators that could be associated with the fraudulent activity of the botnet, including:

  • Displaying messages like “Waiting for proxy tunnel” or “Downloading proxy script” in the status bar of the browser.
  • Long page loading time for Google page.
  • Missing “o” characters above the number of search result pages.

The threat actors behind the Redirector.Paco botnet used to deliver the malware by bundling it with installers for benign applications, such as WinRAR and YouTube Downloader.

In one of the attacks spotted by the experts at Bitdefender, the installers dropped JavaScript files that modify the “Internet Settings” registry key in order to change the behavior of the web browser and force it into using a proxy auto-configuration (PAC) file created by the attacker to provide fake search results. The attackers also rely on a root certificate so that any connection that goes through the server specified in the PAC file looks private without raising suspicion.

“As shown, any request to any page that starts with https://www.google or https://cse.google will be redirected to the IP 93.*.*.240 on port 8484. However, at this point, since the requests are made on the HTTPS protocol, they will be accompanied by a warning that alerts the user that there is a problem with the certificate.” continues the post. “Update.txt downloads and installs a root certificate so that any connection that goes through the server specified in the PAC file looks private.”

The experts also spotted a variant of the Redirector.Paco botnet that relies on a .NET component that modifies search results locally by setting up a local server without redirecting traffic to an external server.

Most infected devices are located in India, but experts observed several infections also in the United States, Malaysia, Greece, Italy, Brazil and other African countries.

Redirector.Paco botnet infections

 

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Redirector.Paco, botnet)