The malware will first check to see if Microsoft’s Edge browser is running, and checks when was the last time a user interacted with the browser. When the endpoint is idle for nine minutes, the script will open new tabs, navigate to certain URLs, scroll up and down the page randomly, and inject clicks. All of this results in ad revenue for the malware’s operators.
Furthermore, the adware, called AdsExhaust, can grab screenshots and simulate keystrokes, it was said.
“The adware is capable of exfiltrating screenshots from infected devices and interacting with browsers using simulated keystrokes,” eSentire said. “These functionalities allow it to automatically click through advertisements or redirect the browser to specific URLs, generating revenue for the adware operators.”
Stealthy Operations
AdsExhaust is also relatively good at hiding, the researchers concluded. If it spots mouse movements (which means a user is at the computer), it will close the opened browser, and create an overlay to hide its actions.
“AdsExhaust is an adware threat that cleverly manipulates user interactions and hides its activities to generate unauthorized revenue,” the researchers concluded. “It contains multiple techniques, such as retrieving malicious code from the C2 server, simulating keystrokes, capturing screenshots, and creating overlays to remain undetected while engaging in harmful activities.”
Via TheHackerNews