Signed software abused to deploy antivirus-killing scripts

SIGNED SOFTWARE ABUSED TO DEPLOY ANTIVIRUS-KILLING SCRIPTS

Executive Summary

• A digitally signed adware tool was used to deliver payloads that run with SYSTEM privileges, effectively disabling antivirus protections across thousands of endpoints.
• In a single day, researchers observed more than 23,500 infected hosts spanning 124 countries attempting to connect to the operator’s infrastructure.
• The campaign extended beyond nuisance advertising, introducing a mechanism designed to silence security software and potentially enable further malicious actions.

Campaign Overview

• The activity was first identified on March 22 by Huntress, a managed security provider, when signed executables flagged as potentially unwanted programs (PUPs) triggered alerts in multiple managed environments.
• The software’s classification as PUPs reflects their typical role in ad delivery, banners, pop-ups, and browser redirects rather than direct, overt malware, yet the campaign escalated beyond these expectations.
• The operator used a signing authority behind a company named Dragon Boss Solutions LLC, which publicly promoted tools branded as browsers but detected by security tools as PUPs.

Technical Architecture and Mechanisms1) Signed Adware Channel

• The operation relied on adware tools signed with a legitimate certificate, enabling the payloads to bypass basic trust checks and appear less suspicious in enterprise environments.
• The software family included browser-like offerings such as Chromnius, Chromstera Browser, WorldWideWeb, and Web Genius, marketed under various branding but functioning as PUPs in security tooling.

2) Update-Driven Delivery Model

• Researchers traced the core delivery to an update mechanism implemented via the commercial Advanced Installer tool, which is commonly used to package MSI and PowerShell payloads.
• The update workflow was configured to run silently, with elevated privileges, and to minimize user interaction, aligning with targeted persistence goals.

3) Hidden MSI Payloads and GIF Masquerade

• The main delivery stage retrieved an MSI payload named Setup.msi that was disguised as a GIF image, a ploy intended to persuade defenses that the file was innocuous visual content.
• The MSI included legitimate DLLs used by Advanced Installer for tasks such as executing PowerShell scripts, probing installed software, and performing actions defined by auxiliary data files.

4) Reconnaissance and Privilege Elevation

• Before deploying the primary payload, the MSI installer conducted system reconnaissance:
• It checked for administrative status and the presence of virtual machines to evade analysis in sandboxed environments.
• It verified internet connectivity and queried the registry for installed antivirus products from Malwarebytes, Kaspersky, McAfee, and ESET.
• Security products were disabled via a PowerShell component named ClockRemoval.ps1, which was placed in multiple locations for redundancy.

5) ClockRemoval.ps1 and System Persistence

• ClockRemoval.ps1 executed routines on system boot, user logon, and at 30-minute intervals to ensure antivirus products were removed or remained disabled.
• The script stopped services, terminated AV-related processes, removed installation directories and registry entries, silently executed uninstallers, and forcibly deleted files when uninstallers failed.

6) Anti-Defense Measures and Reinstatement Blockers

• The campaign went further by attempting to block reinstallation or updates of security software:
• It modified the hosts file and performed null-routing to redirect antivirus vendor domains to 0.0.0.0.
• It attempted to prevent vendors from reinstalling or updating their software, creating a stubborn, long-lived foothold on infected machines.

7) Browser Targeting and Interference Avoidance

• The MSI installer targeted the installers for Opera, Chrome, Firefox, and Edge, likely to minimize interference with the adware’s browser hijacking efforts.
• This indicates a broader strategy to ensure the user experience remained favorable to the attacker’s monetization or control goals.

8) Domains and Sinkhole Observations

• The campaign operated with two primary update domains:
• chromsterabrowser[.]com (main)
• worldwidewebframework3[.]com (fallback)
• Initial observations showed the operator had not registered these domains, presenting an opportunity for sinkholing and monitoring infected hosts.
• In practice, Huntress noted that infected endpoints reached out to these domains en masse, illustrating the scale of the compromised network.

9) Domain Registration Gap and Implications

• Because the main update domain was not registered by the operator, this opened the door for others to potentially claim the domain and push arbitrary payloads to thousands of infected machines that already lacked proper protection.
• The infrastructure provided a ready-made channel for escalating attacks if the operator chose to push more dangerous payloads.

Scale of Impact and Infected Profiles1) Global Reach and Count

• More than 23,500 infected hosts observed in a single day, spanning 124 countries.
• The outbreak included endpoints across academic, government, healthcare, energy/transport critical infrastructure, and large enterprise networks.

2) High-Value Network Exposure

• Researchers identified 324 infected hosts within high-value networks, including:
• 221 academic institutions across North America, Europe, and Asia
• 41 Operational Technology networks in energy and transport sectors, alongside critical infrastructure providers
• 35 municipal governments, state agencies, and public utilities
• 24 primary and secondary educational institutions
• 3 healthcare organizations (hospital systems and providers)
• Networks associated with multiple Fortune 500 companies

3) Observed Infected Entities in Education and Public Sector

• A substantial portion of the infection footprint touched educational institutions and public sector networks, underscoring how education and government endpoints can become vectors for adware-based campaigns with deeper capabilities.

Key Artifacts and Indicators for Investigators

• ClockRemoval.ps1: The central script used to disable antivirus protections, deployed in multiple locations and designed to execute at boot, logon, and at regular intervals.
• Setup.msi disguised as a GIF: The MSI payload used to stage further actions, including the execution of PowerShell scripts and reconnaissance routines.
• Registry and process manipulation: The MSI installer performed reconnaissance and altered system state to suppress security tools.
• Host file modifications and null-routing: The attackers attempted to block AV vendor domains to prevent reinstatement or updates of security products.
• WMI and scheduled task indicators: Huntress highlighted potential WMI subscriptions (MbRemoval, MbSetup) and scheduled tasks associated with WMILoad or ClockRemoval as signals of compromise.
• Vendor presence checks: The system queried for security products from Malwarebytes, Kaspersky, McAfee, and ESET to tailor the impact and persistence strategy.
• Uninstall and cleanup actions: The campaign included routine removal of security software remnants, including deletion of directories, registry entries, and vendor uninstallers.

Operational Observations and Context

• The malicious toolset represents a blend of adware monetization and intrusion capability, with the current AV-killer mechanism serving as a foothold for potential escalation.
• The lack of a registered main update domain created a potential vector for outside actors to take control of the update channel, with implications for the integrity of infected devices across large networks.
• The attackers’ approach indicates a willingness to leverage signed software to bypass standard defenses, followed by aggressive suppression of security controls to maintain persistence.

Closing Context

• The campaign demonstrates how signed adware tools can evolve into weapons capable of disabling endpoint protections, while leveraging legitimate update mechanisms to scale their reach.
• The findings underscore the importance of monitoring update processes, DNS discipline, and hostfile integrity within managed environments, particularly in institutions with broad endpoint connectivity and diverse device fleets.
• The observed activity does not represent a single isolated incident but a large, dynamically adaptable campaign with a footprint that spans multiple sectors and geographies, exposing the ongoing risk posed by seemingly legitimate software signed by third-party entities.