AdService Trojan steals sensitive data using Chrome DLL hijacking

AdService Trojan might steal login credentials and other personal information

AdService Trojan steals sensitive data with the help of Chrome DLL hijacking

Security researchers have recently detected the AdService Trojan (also known as Trojan.Adservice[1]) which exploits a malicious DLL file[2] to kidnap various users’ information, including logins and passwords. According to the latest data, it targets Facebook and Twitter login credentials and other users’ data.

The malicious trojan spreads via adware bundles. Thus, it can enter the system unnoticed as a fake PC optimization tools, Chrome extensions,[3] Russian adware[4] and similar potentially unwanted programs.

The malware aims at Google Chrome web browser and loads as soon as the malicious DLL file is executed. Since then, various sensitive information might end up in the hands of cybercriminals.

Fortunately, the majority of security programs can detect this Trojan. However, after its removal, changing passwords of all your accounts are necessary to evade privacy-related issues.

The Trojan exploits DLL hijacking technique

The Trojan horse enters the system as AdService.dll file. DLL files are incorporated in many Windows programs and processes. They help to run various processes. Thus, generally, they are crucial components and are not intended to harm users.

However, this malicious file has a different purpose. As soon as it infiltrates the system, it hides under svchost.exe file which is a legitimate system process. Thus, the virus becomes hard to detect.

Currently, this cyber threat attacks Google Chrome only. After the infiltration, it installs an obfuscated version of the winhttp.dll file in the C:\\Program Files (x86)\\Google\\Chrome\\Application directory. Originally, Chrome uses the this DLL file from C:\\Windows\\system32 folder. However, after the intrusion, the browser is tricked to use a malicious file.

DLL hijacking[5] is a tricky type of the attack. These files are crucial for all programs to run or perform particular features. Therefore, if attackers interfere this process, they can force various programs to use malicious DLL. In this case, criminals became able to track logins of social networks and other web services.

The AdService Trojan aims at Facebook and Twitter data

The Trojan starts its malicious activities as soon as a victim runs Chrome browser. Once he or she double-clicks the icon, the Trojan immediately connects to the remote server in order to send and receive information.

The main task for it is connecting is connecting to Facebook and Twitter and obtaining various information, including logins and passwords. According to the research, it opens these pages and tries to extract valuable information from them:

  • https://www.facebook.com/settings;
  • ttps://www.facebook.com/bookmarks/pages;
  • https://secure.facebook.com/payments/settings/payment_methods/?__a=1;
  • https://www.facebook.com/profile.php;
  • https://mobile.twitter.com/account;
  • https://twitter.com/settings/account.

The malware might also steal phone number, email address, address, zip code, friend list and other information provided on these social networks. Besides, if a victim purchased something on these websites, criminals might get access to some credit card information or zip code.

Cybersecurity experts warn to be careful with downloading freeware and shareware. Potentially unwanted programs (PUPs), and especially adware, might sneak unnoticed during the installation and bring Trojan.Adservice to your PC. In case of the attack, scan the system with powerful antivirus and change all your passwords.

About the author
Olivia Morelli
Olivia Morelli - Ransomware analyst

Olivia Morelli is News Editor at 2-Spyware.com. She covers topics such as computer protection, latest malware trends, software vulnerabilities, data breaches, and more.

Contact Olivia Morelli
About the company Esolutions

References
Files
Software
Compare