Spam programs are illegal programs according to the ACT ON PROMOTION OF INFORMATION AND COMMUNICATIONS NETWORK UTILIZATION AND INFORMATION PROTECTION. The ASEC analysis team previously published a blog post about a spam program sold as a marketing program. Today, we will introduce a program similar to the spam program covered in the past.
The file collected under the filename of ‘Naver Blog Report Program.exe’ was developed with C#, just like the spam program covered in the previous blog post. Its key features involve using keywords to search for posts on certain blogs, and if a certain URL is included in the text of the blog post, it is added to a list and reported.
So far, it seems as if the features above belong to a normal program. However, the blog-reporting program includes a feature to bypass CAPTCHA, a piece of technology made to block bots or malicious programs that are used to continuously send spam messages to web pages. This can be seen as an attempt to intentionally bypass the service provider’s safety feature, which is required to maintain normal service.
The features of the promotional blog post-writing spam program include automatic login to the program to download images from certain websites and automatically write blog posts, as well as changing the IP address to continuously upload spam posts, and automatic ID login. Messages such as ‘View description,’ ‘View details,’ and ‘As part of the partnership program,’ are commonly included in the post. Due to these messages, users can mistake the posts as normal blog posts for advertisement and promotion, just like the one in Figure 4. However, we can see that this blog post has been created in the same way with the program above.
Figure 2 shows the details of the blog search performed by the blog-reporting program, and two out of the three URLs in the figure were found in the promotional blog post-writing spam program. Currently, all three URLs are unavailable for access.
CAPTCHA is a piece of technology made to allow service providers to block bots or malicious programs that are used to continuously send spam messages to web pages. This means that bypassing it to repeatedly perform certain behaviors is not an acceptable method of service use. In short, users should refrain from using such PUP-type programs.
[File Detection]
– PUP/Win.Generic.C536347 (2022.11.16.01)
– PUP/Win.Generic.C534586 (2022.11.16.01)
– PUP/Win.Generic.C534663 (2022.11.16.03)
[IOC]
MD5
– b3388cafdb57f67064c72bbc55073d31
– c375da4840c1e5e585e4412c6a03570b
– 147ee47a3dceaeec0cb7ac7684837139
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.
Categories:Malware Information