Malware Being Sneakily Installed in My PC-BeamWinHTTP Malware

The weekly malware statistics which ASEC analysis team uploads every week show that the number of occurrences for a downloader type malware named BeamWinHTTP has been on the rise for the last few weeks.

According to the last ASEC weekly malware statistics, BeamWinHTTP malware is one of the top 3 most distributed malware. Since it downloads various types of malware when run, users must take extra caution.

BeamWinHTTP malware is executed by a PUP installer, and users who attempt to install the desired program from the Internet eventually end up downloading and running PUP installer shown below.
※ PUP program: PUP stands for Potentially Unwanted Program. It is a program that requests for user’s consent but is unwanted by the user.

PUP installer gets installed successfully when the filename of the executable is entered in a certain pattern shown below. This is because the installer is an empty husk, and look for the actual installer to bring download path and file info from the web.

Figure 1. PUP installer

Upon executing PUP installer, the window shown below appears, shows the download path and file info after looking for the filename.

Figure 2. PUP installer window – 1

Upon clicking Advanced Option button on the bottom right side, the installer asks for the user’s agreement for PUP installation. If the user agrees to the installation of G-Cleaner, BeamWinHTTP malware is executed.

Figure 3. PUP installer window – 2

As the installation continues, the program that the user wants gets downloaded. Once the download is complete, multiple PUP programs get installed secretly.

As shown in the figure below, PUP installer downloads malware into Temp directory and runs it. This malware is the BeamWinHTTP malware.

Figure 4. Downloads BeamWinHTTP malware runs it

BeamWinHTTP malware once again installs a PUP program named Garbage Cleaner, and this program deletes simple temporary files and prompts user to purchase a license.

Figure 5. Garbage Cleaner PUP program

Then ultimately, it downloads the key malware and executes it. A different malware is downloaded each time, and usually, an info-stealer malware that steals user’s account info is downloaded.

Figure 6. Additionally downloaded malware

Users must note that their personal account information could end up being stolen when attempting to download a simple program such as the above, therefore extra caution is advised. When downloading a file from the Internet, users must make sure that the file is from a reliable source.

AhnLab’s anti-malware solution V3 detects this malware using the aliases below.

[File Detection]
Downloader/Win32.BeamLoader.C4356144
Trojan/Win32.MalPe.R368818

[IOC Info]
cdea4ba9137432aab58f5541e30595eb
90d01324d134695266115e71e43e35dc
10f74757da29c601937ea3ed94f6f807
hxxp://gcleaner.pro/

5 1 vote
Article Rating
guest
0 Comments
Inline Feedbacks
View all comments