Python-based PBot adware evolves to deliver cryptocurrency miner and ad extensions

• The developers behind PBot are expanding its capabilities beyond that of a simple adware.
• PBot got its name from its core modules that are written in Python

The Python-based adware PBot, also known as PythonBot, is evolving with new capabilities that go beyond just spamming users with advertisements. Kaspersky Lab researchers said the adware has undergone several modifications since it was first detected a year ago and now comes with the ability to run a hidden cryptominer on infected computers.

Some PBot versions detected were capable of placing unwanted advertising on web pages visited by the victim and install ad extensions in the browser. The attackers behind PBot are continually releasing new versions of the latter modification and attempting to infect swathes of Windows PCs, researchers said.

“Developers are constantly releasing new versions of this modification, each of which complicates the script obfuscation,” Kaspersky’s Anton V. Ivanov wrote in a blog post. “Another distinctive feature of this Pbot variation is the presence of a module that updates scripts and downloads fresh browser extensions.”

In April alone, researchers registered more than 50,000 attempts to install PBot on computers of Kaspersky Lab product users - a figure that increased the following month.

PBot seems to be primarily targeting users in Russia, Ukraine and Kazakhstan.

New malicious capabilities

PBot is usually distributed via malicious partner sites whose pages implement scripts that redirect users to sponsored links. If any point on the page is clicked, a new browser window pops up that opens an intermediate link to redirect the user to the PBot download page.

This page is tasked with downloading and running the PBot adware on the victim's computer "by hook or by crook" via an .hta file. This file downloads an executable file which is the NSIS installer of PBot. The installer in turn drops a folder that contains the Python 3 interpreter, a browser extension and Python scripts - one of which runs app.py to handle the update of PBot scripts and downloading of new, malicious browser extensions.

While the browser extensions are used to spam banners on pages visited by the victim, the secretly installed cryptominer eats up the infected system's computing power to generate cryptoccurrency.

"In pursuit of profit, adware owners often resort to installing their products on the sly, and PBot developers are no exception. They release new versions (and update them on user computers), complicating their obfuscation to bypass protection systems," researchers said.