New Adware Attacks Users Searching for Meta Quest App for Windows

Hackers often attack the users who are searching for the Meta Quest app is due to they tend to be willing to install and download it as soon as possible, which exposes them to downloading harmful versions.

Recently, eSentire’s 24/7 Security Operations Centers (SOCs) which are operated by Elite Threat Hunters and Cyber Analysts who quickly identify, examine, and respond to threats have discovered a new adware that attacks the users searching for the Meta Quest app for Windows.

This group has discovered significant attacks, including the Kaseya MSP breach and the more_eggs malware.

Google News

Adware Attacks Searching for Meta Quest

Additionally, their SOCs are supported by a Threat Response Unit (TRU), which provides Threat Intelligence, Tactical Threat Response, and Advanced Threat Analytics.

The TRU Positives reports are issued by the TRU team that share synopses of recent threat investigations revealing new cyber security challenges.

In June of 2024, the eSentire Threat Response Unit detected AdsExhaust, an adware disguised as an installation software for Oculus.

This malicious software steals screenshots from internet users and manipulates their browsing activity to generate income through advertising.

Initial Infection Chain (Source - eSentire)
Initial Infection Chain (Source – eSentire)

The Infection chain starts with downloading a ZIP file that contains batch scripts that fetch additional malicious components and establish scheduled tasks for persistence.

Scan Your Business Email Inbox to Find Advanced Email Threats - Try AI-Powered Free Threat Scan

A PowerShell script iterates, getting system details, taking screenshots, and transferring information to a C2 server.

The well-developed persistence techniques and data exporting capacities of the adware underscore the dynamic nature of unthreatening downloads of common programs.

AdsExhaust adware is created using a malicious PowerShell payload that utilizes a mutex to make sure only one instance of the malware runs and it targets Microsoft Edge.

In its idle state, it simulates user interaction with ads by injecting clicks, opening tabs, and navigating to embedded URLs. This adware takes screenshots and overlays them in order to hide itself.

Snippet of the URLs embedded in the script (Source - eSentire)
Snippet of the URLs embedded in the script (Source – eSentire)

Once open ads are detected, they interact with “Sponsored” content on the pages to generate false revenue from advertising. Additionally, AdsExhaust uses Google searches to fetch keywords from a remote server.

This highly advanced adware deploys diverse methodologies like C2 communication, keystroke simulation, and screen manipulation to evade detection while making unauthorized money via artificial ad engagement.

Recommendations

Here below we have mentioned all the recommendations:-

  • Deploy EDR solutions on all devices.
  • Implement Phishing and Security Awareness Training (PSAT).
  • Change default ‘open-with’ settings for script files to text editors

Free Webinar! 3 Security Trends to Maximize MSP Growth -> Register For Free

Tushar Subhra Dutta
Tushar Subhra Dutta
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.