At the end of November 2016, cyber criminals attempted to compromise Ask Toolbar Updater to utilize it as a tool for malware distribution. It appears that scammers were striving to employ the Ask Toolbar’s update feature to inject a malware dropper into PCs of people who were using Ask.com browser add-on. Consequently, some clients of security firm Red Canary have sent complaints about suspicious software appearing on their computers, and the security firm has quickly reacted to these reports. Further analysis of the attack against Ask.com Toolbar Updater reveals that cyber criminals were able to manipulate the dropper however they wanted to and use it to infect victim’s system with illegal software such as ransomware, banking Trojans, worms, keyloggers, and so on. Luckily, the attack was nipped in the bud shortly because the security firm contacted Ask.com and released updates targeting flaws in the updater. Therefore, criminals no longer can exploit Ask.com Toolbar for malevolent purposes.
According to security researchers, upon infection with the malware, victim’s web browser started to function suspiciously. It appears that the indicated toolbar’s update (apnmcp.exe file) induced suspicious secondary processes. Although the update file had a legitimate certificate, Red Canary’s monitoring system discovered an extra process that launched logo.png file. The file initiated a network connection, which was used to download 2-3 binaries that were executed by the same .png file later on. This shows that hackers might be testing opportunities to embed destructive payloads in .png format files.
Many computer users are aware of Ask.com Toolbar and its not-so-great reputation. A backlash against this piece of software was caused by aggressive distribution techniques the company used to push it to computer users who were trying to install different software. This free browser add-on was frequently bundled with Java updates; due to its distribution techniques, this toolbar has been marked as a potentially unwanted program and a browser hijacker by many security firms. However, we must point out that the Ask.com organization has nothing in common with the fulfillment of this attack, which was carried out by unidentified cybercriminals. The company quickly reacted and took necessary measures to stop the attack.