Our sensors have just detected yet another rogue advertisement served through the Yieldmanager ad network, this one enticing users into downloading a rogue video player known as the ‘Oops Video Player’. What’s particularly interesting about this rogue ad campaign is that the PUA (Potentially Unwanted Application) attempts to visually trick users by mimicking Adobe Flash Player’s installation process.
More details:
Sample screenshot of the rogue ad:
Sample screenshot of the landing page mimicking Adobe Flash Player’s installation process:
Detection rate for the rogue video player – MD5: 9df30aa7a7796ae73b33a6ba7ba7bfb3 – detected by 4 out of 47 antivirus scanners as Win32/DomaIQ.C; Adware.DomaIQ; DomainIQ pay-per install; DomaIQ (fs). The sample is digitally signed by ‘Awimba LLC’.
Domain name reconnaissance:
ooopsvideo.com – 54.214.92.56
More domains of rogue applications, part of the same network, are known to have phoned back to (domaiq.com – 37.59.180.17), for instance:
api.v2.domaiq.com
api.v2.madodls.com
api.v2.secdls.com
crud.v2.domaiq.com
dl.v2.domaiq.com
dl.v2.madodls.com
dl.v2.secdls.com
dls.123mplayer.com
dls.adcdls.com
dls.archivospc.com
dls.dlsofteclipse.com
dls.downhq.com
dls.download1server.com
dls.downloadgratuiti.com
dls.downloadsetup.com
dls.downquick.com
dls.driverdls.com
dls.famdls.com
dls.favfiles.com
dls.filesonar.com
dls.filezor.com
dls.flashmplayer.com
dls.freemplayer.com
dls.freiesoft.com
dls.gamerdls.com
dls.gufairu.com
dls.gufile.com
dls.lastplayerfree.com
dls.livedls.com
dls.mpalyerfreeware.com
dls.mplayerdownloader.com
dls.mplayerfree.com
dls.mplayerfull.com
dls.mplayertotal.com
dls.nicdls.com
dls.pitisoft.com
dls.popdls.com
dls.realdls.com
2dls.securedonwloadepiclab.com
dls.softdls.com
dls.softgratuit.com
dls.softlate.com
dls.softluv.com
dls.sweetdls.com
dls.themplayerupdater.com
dls.topsoft.co.uk
dls.totalvideoplugin.com
dls.xvidupdate.com
dls.yourmplayer.com
domaiq.com
madodls.com
static.v2.madodls.com
track.v2.domaiq.com
track.v2.madodls.com
catdls.com
madodls.com
The monetization takes place through the DomaIQ (domaiq.com – 37.59.180.17) pay-per-install affiliate network, with the cybercriminals participating in it earning revenue every time a successful installation of the rogue application takes place.
We’re also aware of the following rogue MD5s part of the same affiliate network monetization process:
MD5: 8a41066e79e14b542fadbf2e79bf4490
MD5: 0655343de61b717175df1b65f9de7aee
MD5: 8154698fb256f62321e13408c00f1503
MD5: 57d3f98a3465c837be72b769895c3123
MD5: 949c84ed7d8ddc093635df8e4152e1b3
MD5: be06f0dd30404a875b27336821879d16
MD5: 4368b7b5445ca1237601673f995b9992
MD5: a7d60fd7e6ee33b3eea43ed0be82d6e9
MD5: dd70c58925b37e3d7655ba25cf77cb83
MD5: 0d374245e0913ea5ec740323b4b15cb5
MD5: 69e2cd3327f91970f8285989724f5802
MD5: 53676ff21d4607b7f8b8d975d6b0c405
MD5: 4f6ac57a18340ac3cdfb9351ca2d4628
MD5: 4f71871dbdc6a3ae949fb5c9586c010f
MD5: 65a1fe05c915e2bd586cdedd6d1a792f
MD5: 475832e7f291521046b1a7d5f9ff7b58
MD5: d7f58ca6d63304f5f6e1a77bcf6a9567
MD5: aef8f79851237a27215959fdea14a6f3
MD5: 2e7ac59db7594347e496d94411a835b7
MD5: e647b2130580a571079d3a45f38a7caf
MD5: 78725dd1530463d33e156f6307ad96b7
MD5: 7c1f03ce20333e1fb738a6bab852e832
MD5: a382bbaa3abf952ae3f64798bffad1da
MD5: 184909e269af30735f690c441948369c
MD5: 02223e41331a9d7265234be07d0a6b8a
MD5: 68a600cd1a9db3797f97df4124c4d2e1
MD5: f3ace640b79542290669116d850483f6
MD5: 88f7914a5db9154c9886a32e3e06a152
MD5: ef2d28dc42c0b5b00bc7ff195f8da89f
MD5: 814d5b7c53f148b61af80d6bdb0c222a
MD5: 320efca7c179376e28a7ad80dfcbac58
MD5: 3ac89dbe98d817402e98b70dede51395
MD5: 2179d3e6caf3b057506207ad040c2a5e
MD5: a1f31f1d4ea07039b053ce7e9e4e854c
MD5: f057123739c892c1c335af95f2e3efb1
MD5: a6e75eff7c07fd81fe9542a709a97ccd
MD5: 8dccf579bacae71d0fc01e8181fac1f3
MD5: 6be3b6451c5b4d28267344e29745bc9e
MD5: 14445616a8318b4e1c2d136338d4ba63
MD5: 0f714922a0b7d3f1db740de375bdca1c
MD5: c96b02e866d6f29f7420c3299caeddaf
MD5: 9940749abfc2f0064fbdbfaf0db309cc
MD5: 1c548424a14497e696ffb77952497008
MD5: b287a636646196f049e2ba7dbb5be153
MD5: 750fb1f17e502ad8456d2d8cccb0d7eb
MD5: 30248c2041f68acfd97b41a4efb3d066
MD5: 77c3ef7af4954c2f53b179ed280915f1
MD5: fbd0bc3a7eb34ea36f9e65d5daff6f4e
MD5: e1855ac92f2674d30f6ebc3a21fa4b50
MD5: b545cf0f7a956d9b3d6a960d6b260a5a
MD5: 5141d92ec1c9a9d8be92657a02e68f40
MD5: 661a6bee24fc85a22d27521448c0a49a
MD5: 55e82ad54926f3feaf9e0fc5a25ecb0d
MD5: 182ecf374d2279ea0d7763ec619086ac
MD5: 2be906864a697056af3f4a99e383a06a
MD5: cdd7267deeedbd508f6bfa0a4126b640
MD5: 20b606accaaba0612edee6d20cc798b6
MD5: d0ee8ed683628c2cba4bba14acd51cec
MD5: 743fe85ae1bd39b88035d64161ad3827
MD5: 156197b754ffb65a129b4c43fb327363
MD5: 69e533f0c8ccb017f4d65d80e349d37f
MD5: 230bd86ff36d1ec00a52484d831bcc34
MD5: 606e6b86f065d88d7be93aac05e5237f
MD5: cfd09403f4ee70291ef978e098b2c83f
MD5: c8abbc7e3bb89ecc6d4613512b8ceab5
MD5: 338b1f9d8806a88f26b0bfbc7458625b
MD5: 9ab56e5d49ef57b1f55b6f1e09704ea7
MD5: bac642ad6e3bb3fcf3d728b507cce496
MD5: 977605ddfb08cac78f0f57775bda5572
MD5: 0bee0f472b32ed23dd4b69917150b4d8
MD5: c21e694c00d580c5ea5b73eae7a421b8
MD5: f5536e02aa104fc6dbc4299b78d9096d
MD5: d788d78a6930200f1e679f45c4fe233d
MD5: 976e0dfdee81fe215d57317d4958eca6
MD5: 989a9c56949cabd134e608c4a2ae87f8
MD5: 7248c37dd0532a50f64884e085cc0eab
MD5: 5ccece08ae4e5fd5730a3399efae2824
MD5: 520b07f1670f87b367b30cb727bdf31c
MD5: b8d91fa98aae8e3c813058e7f827e9dd
MD5: b755b00886cddff8dcbf7a87b56bac72
MD5: 6114210a10d207310841e44a8e5f865c
MD5: 6d415cff4b03d3e7e7baf15293605fa1
MD5: 37c695426979bb471f8e4904471403f2
MD5: df6c97f2fa729b43902f14217c582afd
MD5: 052290f7cc109b47fcac4a68c72beba5
MD5: 129d4f14f168053e08017a726f1793a2
MD5: c6006cc2d52537e8a40228edac028983
MD5: 10b4118f46346b2071e9657de8f1cbfc
MD5: cf24d23d765252939b023327a1818b0e
MD5: dab3b44e41a310024cb1f34cce160c16
MD5: 2a552118ef6aaab609770c18ef882c18
MD5: e96ca6177e75a0b03e0d405ad927a8cf
MD5: f0f50dd3701275541841ef81ee24fd2b
MD5: 06483d31e30154a3f37195d89a97e853
MD5: e48842a5d2e47274759c712b3db6e250
MD5: 18fa2f5a6da88aa123acb9dcddd11397
MD5: d91068aca21d173e095a9e236db4e31b
MD5: 0326e1313be59e3cd6ac66bbcacc3291
MD5: 41ed16661ec7f5b792749b941d47042f
MD5: c944a09a0ceb95f1d8bf90a02c8e2816
We’ll continue monitoring this pay-per-install affiliate network’s activities. Meanwhile, users are advised to avoid interacting with the ‘Oops Video Player’.
You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on Twitter.