Malware descriptions

PimpMyWindow – Brazilian adware

Brazilian cybercrime is based primarily on the spread of Trojan bankers. For some time now the country’s bad guys have been investing their efforts in new monetization schemes, the latest includes the use of adware. And the perfect place for distributing this sort of malware? Yes, that’s right – social networks. This is how “PimpMyWindow”, an adware and click-fraud scheme that has infected several Brazilian Facebook users in recent days, works.

To spread quickly among innocent users the adware uses a “change the color of your profile” option that recently surfaced. The infected profiles are used to spread automatic messages to your Facebook contacts:

208194072

“Tired of the color of your profile? Install PimpMyWindow now”

The website offers a plug-in for the three most popular browsers: Chrome, Firefox and IE.

208194073

Sorry Opera users, no adware version available for you…

Once it’s installed, it’s programmed to display ads from Google’s Adsense on popular social network websites such as Ask.fm, Orkut, Facebook, Twitter, YouTube, webmail services such as Gmail and Hotmail, and the Google.com search engine.

208194074 Hotmail displaying Google AdSense ads? No, it’s adware!

The entire malicious scheme used by this piece of adware is based on Crossrider, a legit platform to create and host multiplatform browser plugins, but used by the authors behind the Lilyjade worm. It shows how Brazilian bad guys are learning new monetization schemes:

208194075

Crossrider.com are hosting not only the installer but statistics pages as well

As online banking services are very popular in Brazil, the adware includes a module to display ads in the pages of your bank’s website as well, even if the pages are HTTPS enabled:

208194076

Banco do Brasil, Itau and Caixa Bank websites affected by the adware

It seems malicious users in Brazil are concentrating more of their efforts on coming up with different ways to gain money, even using ‘grey’ apps. Maybe it’s a reflection of the new national cybercrime law that makes it a crime to create trojan bankers.

We suggest that infected users remove any extensions called “PimpMyWindow” or “MudeACordoSeuPerfil” from their Google Chrome or Firefox browsers, as they pose a privacy risk. Kaspersky Anti-Virus users are protected; the various versions of this adware are blocked as AdWare.Win32.PimpMyWindow.

Update: Crossrider.com informed us they removed the files of this adware

PimpMyWindow – Brazilian adware

Your email address will not be published. Required fields are marked *

 

  1. Sandy Gonzalez

    Hello I believe I got a Trojan when I opened the internet and there was some different web page instead of my Google , then there was a system pop up that had “XXX [don’t remember name] System Protector” programme and I click for a free scan, it completed scan. It ask for money. I declined than my Kaspersky showed it was unsafe had a Trojan, so I tried to close and it was downloading all by it self! All my icons on desk top turned white and will not open shows:
    System call failed :{26EE0668-A00A-44D7-9371-BEB064C98683}
    From my start up menu I can open some apps. outlook 2010, excel
    bottom line Kaspersky Pure 3.0 says I have “not-a-virus:HEUR:Ad Ware.Win32.Kranet.heur” options are from Kaspersky 1]. to Delete
    2] block or 3.] add to exclusions.
    I am going to delete option 1]. please give me feed back? what in the world is this Adware?
    Thank You Sandy

Reports

APT trends report Q2 2021

This is our latest summary of advanced persistent threat (APT) activity, focusing on significant events that we observed during Q2 2021: attacks against Microsoft Exchange servers, APT29 and APT31 activities, targeting campaigns, etc.

LuminousMoth APT: Sweeping attacks for the chosen few

We recently came across unusual APT activity that was detected in high volumes, albeit most likely aimed at a few targets of interest. Further analysis revealed that the actor, which we dubbed LuminousMoth, shows an affinity to the HoneyMyte group, otherwise known as Mustang Panda.

WildPressure targets the macOS platform

We found new malware samples used in WildPressure campaigns: newer version of the C++ Milum Trojan, a corresponding VBScript variant with the same version number, and a Python script working on both Windows and macOS.

Ferocious Kitten: 6 years of covert surveillance in Iran

Ferocious Kitten is an APT group that has been targeting Persian-speaking individuals in Iran. Some of the TTPs used by this threat actor are reminiscent of other groups, such as Domestic Kitten and Rampant Kitten. In this report we aim to provide more details on these findings.

Subscribe to our weekly e-mails

The hottest research right in your inbox