{"id":7107,"date":"2017-03-24T08:11:31","date_gmt":"2017-03-24T16:11:31","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/03\/24\/news-898\/"},"modified":"2017-03-24T08:11:31","modified_gmt":"2017-03-24T16:11:31","slug":"news-898","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2017\/03\/24\/news-898\/","title":{"rendered":"Advanis tech support screenlocker"},"content":{"rendered":"

Credit to Author: Pieter Arntz| Date: Fri, 24 Mar 2017 15:00:05 +0000<\/strong><\/p>\n

Recently we noticed a change on one of the domains that we monitor\u00a0because they are known to host files related to tech support scams and involved in browlocks, fake alerts, and screenlockers.<\/p>\n

The domain and the screenlocker<\/strong><\/h3>\n

At the moment the installer is being pushed by InstallCapital which is a pay-per-install network .<\/p>\n

The domain hosting the installer is called installreports[dot]com and this time\u00a0we found it was hosting a tech support screenlocker we dubbed Advanis after the folder it creates in the Windows directory and the entry it creates in the list of installed programs and features.<\/p>\n

\"\"<\/p>\n

MT is the name of the main executable. The one that shows the screenlocker. Here it is probably short for \u201cMarket Tools\u201d, which is the name of the Windows form.<\/p>\n

\"\"<\/p>\n

Resolution<\/strong><\/h3>\n

@TheWack0lian<\/a> found this code snippet \u2013<\/p>\n

\"\"<\/p>\n

–telling us that the screenlocker could be minimized by using the \u201cBackspace\u201d key. Once you have done that, removal is no problem. A full removal guide for Advanis<\/a> can be found on our forums.<\/p>\n

File details<\/strong><\/h3>\n

SHA 256 of the installer 30a32cb629d2a576288b4536d241b6e90f0540c3275288bfd4982233e12d182f<\/p>\n

Malwarebytes web protection module blocks the domain and detects the installer as Trojan.TechSupportScam.<\/p>\n

\"\"<\/p>\n

The advertised number on the lockscreen\u00a0leads back to the domain getfixpc[dot]net.<\/p>\n

Attribution<\/strong><\/h3>\n

Finding out who is behind a threat is not always easy, but we think we have a solid case for this one.<\/p>\n

Meet Baskar K.<\/p>\n

\"\"<\/p>\n

He registered the domain installreports[dot]com with the email address:\u00a0brgs@outlook.in<\/a>.<\/p>\n

Using his own name and providing his phone number and physical address.<\/p>\n

The same personal data was used to register brmediahub.com<\/p>\n

That domain is listed as the homepage at the stackoverflow profile I posted a screenshot of.<\/p>\n

For the same physical address we also found an email address baskark****@outlook.com<\/a> that has been used to register a host of dubious domains:<\/p>\n