Meta Quest Users Targeted By AdWare

A new cybersecurity threat is tricking users searching for the Meta Quest (formerly Oculus) application for Windows into downloading a new adware family called AdsExhaust. This malicious campaign has been identified by the cybersecurity firm eSentire, which provided an in-depth analysis of the threat.

What is AdsExhaust?

AdsExhaust is a sophisticated adware that not only displays unwanted advertisements but also exfiltrates sensitive information from infected devices. It can take screenshots and interact with web browsers using simulated keystrokes. These functionalities allow it to automatically click through advertisements or redirect the browser to specific URLs, generating revenue for the adware operators.

Infection Chain

The infection begins with a bogus website ("oculus-app[.]com") appearing in Google search results, thanks to search engine optimization (SEO) poisoning techniques. Unsuspecting users download a ZIP archive ("oculus-app.EXE.zip") containing a Windows batch script. This script fetches a second batch script from a command-and-control (C2) server, which in turn retrieves another batch file. Scheduled tasks are then created on the infected machine to run these batch scripts at different times.

The legitimate Meta Quest app is downloaded onto the compromised host, while additional Visual Basic Script (VBS) files and PowerShell scripts are dropped to gather IP and system information, capture screenshots, and exfiltrate data to a remote server.

Adware Activities

The PowerShell-based AdsExhaust adware checks if Microsoft's Edge browser is running and determines the last time a user interacted with the system. If Edge is running and the system is idle for more than nine minutes, the adware can inject clicks, open new tabs, and navigate to URLs embedded in the script. It also performs random scrolling on the opened page to trigger ads, inflating ad revenue for the operators.

AdsExhaust is designed to conceal its activities from the victim by closing the browser if mouse movement or user interaction is detected. It creates an overlay to hide its actions and searches for the word "Sponsored" in the currently opened Edge browser tab to click on ads.

Furthermore, the adware fetches a list of keywords from a remote server and performs Google searches for those keywords by launching Edge browser sessions via the Start-Process PowerShell command.

Who is at Risk?

This campaign specifically targets users searching for the Meta Quest application for Windows. However, any user who unknowingly downloads and installs the adware from a fake website is at risk. The adware primarily affects those using the Edge browser on Windows systems.

Executives and High-Profile Users

While the primary targets are general users looking for the Meta Quest application, high-profile individuals and executives who may use similar search queries are also at risk. These individuals are often targeted due to their access to sensitive information and resources.

How to Protect Yourself

Verify Download Sources

Always verify the authenticity of the websites from which you download software. Official websites and trusted sources should be your primary choice. Avoid downloading software from unfamiliar or suspicious sites.

Use Reliable Security Software

Install and maintain reliable antivirus and anti-malware software. Regularly update the software to ensure it can detect and mitigate the latest threats.

Be Cautious with Search Results

Be wary of search results, especially when looking for popular applications. Cybercriminals often use SEO poisoning to make malicious sites appear at the top of search results.

Monitor Browser Activity

Regularly monitor your browser activity and be aware of any unusual behavior, such as unexpected ads or redirects. If you notice anything suspicious, perform a thorough scan of your system.

Keep Your System Updated

Ensure your operating system and all installed software are up to date with the latest security patches. This helps protect against vulnerabilities that can be exploited by malware.

Educate Yourself and Others

Stay informed about the latest cybersecurity threats and educate others about safe online practices. Awareness is a crucial step in preventing infections.

Conclusion

The discovery of the AdsExhaust adware campaign highlights the ongoing threats in the cybersecurity landscape. By using sophisticated techniques like SEO poisoning and simulated keystrokes, cybercriminals can easily trick users into downloading malicious software. It is essential to stay vigilant, verify sources, and use reliable security measures to protect yourself from such threats. By understanding the risks and implementing protective strategies, you can safeguard your digital assets and maintain your online security.