Full Report
A digitally signed adware tool has deployed payloads running with SYSTEM privileges that disabled antivirus protections on thousands of endpoints, some in the educational, utilities, government, and healthcare sectors. [...]
Analysis Summary
# Tool/Technique: Dragon Boss Solutions Adware/AV Killer
## Overview
This threat involves a series of browser-based Potentially Unwanted Programs (PUPs) authored by "Dragon Boss Solutions LLC" that abuse a legitimate software installer’s update mechanism. While disguised as browser software, the tool deploys a sophisticated "AV Killer" payload with SYSTEM privileges to systematically disable and remove security products from thousands of endpoints globally.
## Technical Details
- **Type:** Adware / Malware Dropper
- **Platform:** Windows
- **Capabilities:** Defense Evasion, Persistence, Privilege Escalation, Remote Payload Deployment.
- **First Seen:** March 22, 2024 (Campaign identified)
## MITRE ATT&CK Mapping
- **TA0003 - Persistence**
- T1546.003 - Event Triggered Execution: Windows Management Instrumentation (WMI) Event Subscription
- T1053.005 - Scheduled Task/Job: Scheduled Task
- **TA0004 - Privilege Escalation**
- T1068 - Exploitation for Privilege Escalation (Abusing Advanced Installer system privileges)
- **TA0005 - Defense Evasion**
- T1562.001 - Impair Defenses: Disable or Modify Tools
- T1553.002 - Subvert Trust Controls: Code Signing
- T1027 - Obfuscated Files or Information (MSI disguised as GIF)
- T1112 - Modify Registry
- T1564.004 - Hide Artifacts: NTFS File Attributes
- **TA0007 - Discovery**
- T1518.001 - Software Discovery: Security Software
## Functionality
### Core Capabilities
- **Signed Execution:** Uses valid digital certificates from "Dragon Boss Solutions LLC" to bypass basic security scrutiny.
- **Silent Update Mechanism:** Leverages the "Advanced Installer" commercial updater to deploy payloads (MSI and PowerShell) silently without user interaction.
- **System-Level Persistence:** Installs with SYSTEM privileges and creates recurring tasks (every 30 minutes) to ensure malicious scripts remain active.
- **Security Software Reconnaissance:** Queries the registry to detect specific AV products including Malwarebytes, Kaspersky, McAfee, and ESET.
### Advanced Features
- **Comprehensive AV Neutralization (`ClockRemoval.ps1`):**
- Stops services and kills processes related to security software.
- Forces uninstallation using vendor-specific silent uninstallers.
- Deletes installation directories and registry keys.
- **Network Blocking:** Modifies the Windows `hosts` file to null-route (0.0.0.0) AV vendor domains, preventing updates or reinstallation of security software.
- **Browser Interference:** Targets legitimate installers for Opera, Chrome, Firefox, and Edge to prevent them from interfering with the adware's browser hijacking mission.
## Indicators of Compromise
- **File Hashes (SHA256):**
- `40ac30ce1e88c47f317700cc4b5aa0a510f98c89e11c32265971564930418372` (Setup.msi / Fake GIF)
- **File Names:**
- `ClockRemoval.ps1`
- `Setup.msi` (often appearing as a .gif)
- `_!_StringData` (Payload configuration file)
- **Registry Keys:** Check for keys associated with "Dragon Boss Solutions LLC" or browser names: `Chromstera`, `Chromnius`, `WorldWideWeb`, `Web Genius`, `Artificius`.
- **Network Indicators:**
- `chromsterabrowser[.]com` (Primary C2/Update)
- `worldwidewebframework3[.]com` (Fallback C2)
- **Behavioral Indicators:**
- Modification of `C:\Windows\System32\drivers\etc\hosts`.
- WMI event subscriptions containing "MbRemoval" or "MbSetup".
- Scheduled tasks named "WMILoad" or "ClockRemoval".
- Microsoft Defender exclusions for paths `DGoogle`, `EMicrosoft`, or `DDapps`.
## Associated Threat Actors
- **Dragon Boss Solutions LLC** (The entity signing the software; likely a front for "search monetization" or adware operations).
## Detection Methods
- **Signature-based:** Scan for files signed by "Dragon Boss Solutions LLC."
- **Behavioral:** Monitor for PowerShell scripts attempting to stop security services or delete directories in `C:\Program Files\` associated with AV vendors.
- **WMI Monitoring:** Audit for the creation of `__EventFilter` or `__FilterToConsumerBinding` containing the string "MbRemoval".
## Mitigation Strategies
- **Application Whitelisting:** Prevent execution of software from unknown or "low reputation" developers, even if digitally signed.
- **Host File Protection:** Monitor or lock the `hosts` file to prevent unauthorized redirection of security vendor domains.
- **Privilege Management:** Restrict the ability of standard users to run installers that require administrative or SYSTEM level elevation.
- **Network Filtering:** Block the identified C2/Update domains at the firewall/DNS level.
## Related Tools/Techniques
- **Browser Hijackers / Monitizers:** Similar behavior to older adware bundles like InstallCore.
- **Bring Your Own Vulnerable Driver (BYOVD):** While this tool uses scripts, the intent of disabling AV is similar to techniques used by ransomware groups (e.g., BlackByte).