Adware Taking Cues from APT


The Dell SonicWALL Threats Research Team has recently encountered an interesting case of adware that includes some unexpected features, reminiscent of the Flame/SkyWiper cyber espionage malware.

Infection Cycle

The adware package is a typical Nullsoft Installer bundle, but the primary payload is a binary that includes a built-in Lua interpreter. This payload is installed as a system service upon execution.

Once the service is initiated, it attempts to download the main Lua script.

The malware downloads a Lua script

The Lua script payload itself contains over 2500 lines of code. The purpose of the script is to provide a remote command and control method, as the primary function of the script periodically checks remote servers for additional scripts and commands to run on the local system.

Examination of Lua code shows download and execution capabilities

After the Lua code launches, it fetches another binary from remote servers. In this case, a Windows DLL is downloaded and is launched via the existing service process. This DLL provides additional backdoor functionality and includes its own hardcoded command and control addresses.

Hardcoded addresses found inside the DLL module

Much like the Lua script, the DLL is capable of downloading and executing additional payloads.

The DLL includes several functions to drop and execute additional payloads

Indicators of Compromise

In order to persist on the target machine, the malware installs itself as a system service named “Updater” to be launched at boot time. The registry entry for the service is shown below.

The registry entry for the malicious system service

The malware creates several randomized mutexes per thread as shown below.

The malware process spawns a number of randomly-named mutexes


Overall, the purpose of this malware is to provide an initial infection vector to download additional components and achieve persistence on a target machine. Dell SonicWALL Gateway Anti-Virus provides protection against this threat with the following signatures:

  • GAV: AdPeak.B
  • GAV: Proxy.B

A special thanks to Brad Arndt for assistance in initial identification and information gathering.

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.