[GNC] Phishing Website Google Search Ad

Tue Dec 13 12:25:57 EST 2022

I originally wrote and sent this on November 28, but I wasn't subscribed to
the mailing list yet so I don't think it went through. Since then I have
contacted DigiCert and they have revoked the code signing certificate.
Original email follows.

I saw a Google search ad for GNU Cash which is a malware/phishing
attempt, I believe. See this screenshot: https://imgur.com/K3aeix7.png

Note the hyphen in the ad URL. It was a clone of the GNU Cash website,
except the windows download link downloads a 2,957KB setup.exe
directly rather than going to sourceforge.

I want to record some information about the site and installer in case
it disappears.
IP: 172.67.145.128
Registrar: webnic.cc
Registered On: 2022-10-20
Nameservers: cloudflare
Registrant Contact Information: unknown, Berlin, DE

The virustotal scan comes up mostly clean:
https://www.virustotal.com/gui/file/15d333959c6bf4bc913a3526a7aae8855af60b08a2542ee245d18b79dc7eede5

I wouldn't be surprised if a malicious GNU Cash would not flag virus
scanners because it wouldn't need to install a typical virus payload,
it would just record account information and upload that somewhere.
Note that the setup.exe is signed with a certificate issued to
is-NHIDL.tmp. See the details on virustotal. After I uploaded the
setup.exe to virustotal the phishing website changed to a placeholder
site titled "Dot Com Inovations" showing events around Spokane.
Strangely one of the recent posts on the placeholder site is titled
"Beast: Plot, Cast, and Everything Else gnucash gnu cash gnu-cash We
Know".

I created a virtual machine to run the installer in to see what it
does. I did this after uploading to virustotal so it's possible the
installer changed its behavior to hide its tracks. The setup.exe pops
up a window saying it's downloading and downloads
gnucash-4.12.setup.exe to %LOCALAPPDATA%\Temp, then runs it. This
downloaded setup exe has the same SHA256 hash as the real one I just
downloaded from sourceforge. It launches the downloaded installer
which runs as four processes. One executes the installer out of \Temp,
one executes it out of C:\ProgramData\, and two execute temp files
from \Temp\is-NHIDL.tmp\gnucash-4.12.setup.tmp (1320KB). I'm not sure
what was going on there, but I'm guessing that it patches the
installer in-memory so the installer hash is unchanged. These files
are deleted from Temp\ when the installer closes. I created a copy of
Temp\ while the installer was running. The installed GnuCash looks
normal. I'm not an experienced malware investigator so I don't know
what else to do with it. If you have some ideas let me know and I may
be able to help.

I reported the Google ad for being misleading and malicious. The ad
may not stay around for long now that the site has gone into hiding,
so I'm not sure what good it'll do.

I'm not sure what we can do to prevent this from happening in the
future, but we should try. I'm not sure what we can do to contact
people who may have downloaded the malicious installer. The setup.exe
was signed on 2022-11-08 02:28:00 UTC, so it may have been up for a
few weeks. I noticed that Google does not show ads for searches like
"Nvidia Drivers" probably to avoid this kind of problem. Maybe we can
convince them to do the same for GNU cash, but I'm not optimistic.

I'm going to contact DigiCert to tell them a cert they issued is being
used to sign malware installers.