Researchers have seen that PBot (PythonBot) has made a return targeting Windows-based machines. PBot was first seen over a year ago; however, it has returned with an updated arsenal. The adware is written in Python and spams the infected machine with advertisements while installing ad extensions in the browser. The adware is also equipped with a crypto-miner, which can be used to generate Bitcoin and Litecoin. In April alone, it was seen that PBot had made 50,000 attempts to install itself on machines and the number of attempts is only increasing. The browser extension is used for spamming banners on the page that the victim visits, which redirects the victim to advertising sites to generate revenue. The adware is distributed via malicious partner sites. Once a victim visits the site, by clicking anywhere, a new browser window is opened with a link to the PBot download page. If the victim clicks the link, PBot begins installing itself on the machine. Users are advised to be cautious when visiting unfamiliar sites.
Written by: Nataliia Zdrok, Threat Intelligence Analyst at Binary Defense Russia’s invasion of Ukraine increased