NEWS FROM THE LAB - Tuesday, April 1, 2014

Coremex Innovates Search Engine Hijacking Posted by FSLabs @ 13:58 GMT

Malware that targets search engine results is nothing new. Malicious browser extensions are also familiar (which typically contribute to stuff such as Facebook scam campaigns). But very recently, we've identified a noteworthy malware family that attempts to do both. We've named it: Coremex. It takes advantage of plugin functionality provided by browsers to hijack different search engine results � taking on online advertising giants such as Google and Yahoo.

Coremex comes as a single NullsoftInstaller executable file which acts as both dropper and downloader. Upon execution of the executable, the downloader will start collecting basic information from the infected machine. For example: the username, the infected workstation name, processor, memory, et cetera. The information will be sent to a command-and-control (C&C) server address,, which is hard-coded in the binary. The information is encrypted with RC4 with a key of "2AJQ8NA4" and the final result will be encoded with Base64.

There are some anti-sandbox features implemented by Coremex that prevents it from downloading the main payloads, such as the browser extension scripts, from the C&C server. These features consist of checking blacklisted process names and looking for well-known sandbox fingerprints such as a "VMware" string on the infected machine by using Windows Management Instrumentation (WMI).

Figure 1. Blacklisted process name in hash:


Figure 2. Anti-Sandbox name in hash:


If the anti-sandbox component does not raise a red alert, Coremex will then proceed to download additional payloads from the C&C server. However, the author uses a different C&C server to download payloads (at least during the time of our analysis).

The C&C server addresses consist of:


After the payload is downloaded successfully, they will be silently installed by Coremex. Afterwards, the browser extension will reside in the browser process whenever the victim opens Chrome or Firefox.

Coremex's JavaScript is highly obfuscated with 3 layers of obfuscation to make the analysis harder. Behind the scenes, Coremex's JavaScript will register a couple of events using the API provided by the browser and wait for these events to be triggered.

Figure 3. Malicious browser extension register multiple event listeners:


One of the event listeners will be run once in an hour. Upon execution of the event callback function, it will start connecting to the following bogus search engine websites:

  •  onlinetrack.org
  •  zvtracker.com

While the other event listeners are responsible to parse the URL that the affected browser is going to visit. The callback function of these event listeners will look for the search query entered to the following search engine platforms:

  •  Google
  •  Bing
  •  Yahoo
  •  ASK
  •  AOL
  •  AVG
  •  MyWebSearch
  •  Search-Results
  •  Comcast
  •  Delta-Search

Figure 4. A list of search engine platforms targeted by Coremex:


When a targeted search engine platform is found and after successfully parsing the search query from the URL, Coremex first transforms the victim's entered search query into a JSON format:


The JSON object will then be encrypted with RC4 algorithm with key "http" and the result will be encoded with Base64. The Base64 encoded string will be sent to presumably the author's controlled search engine platform:


In the server's response, it contains an encrypted JSON object with a list of destination website that will determine where a webpage that has ads-like URL will be redirected to. An example of Google AdWords URL might look like this:

Google Adwords URL

Figure 5. Code responsible to parse Google AdWords URL pattern:


The decrypted JSON object might look like:

decrypted JSON objet

The following screenshot shows Coremex script in action when an ad's URL is clicked by the victim which leads to the ad's page being hijacked and redirected to author's intended destination website.

Figure 6. Google AdWord URL is being hijacked:

Click image to embiggen.

Figure 7. Google AdWord page is hijacked with IFRAME:

Click image to embiggen.

Regarding the injected IFRAME to the hijacked ad's page: during analysis, the server never replied with the destination website. So we have not yet seen examples of where the hijacked Ad will be redirected. But it is clear that the author's intention is to take advantage of popular online advertising services.

SHA1: 62b5427b10f70aeac835a20e71ab0d22dd313e71


Post by — Wayne