[GNC] Phishing Website Google Search Ad

[Geoff]

Thanks very much Matthew.

Regards

Geoff
=====

On 14/12/2022 4:25 am, Matthew Ickstadt wrote:
> I originally wrote and sent this on November 28, but I wasn't subscribed to
> the mailing list yet so I don't think it went through. Since then I have
> contacted DigiCert and they have revoked the code signing certificate.
> Original email follows.
> 
> I saw a Google search ad for GNU Cash which is a malware/phishing
> attempt, I believe. See this screenshot: https://imgur.com/K3aeix7.png
> 
> Note the hyphen in the ad URL. It was a clone of the GNU Cash website,
> except the windows download link downloads a 2,957KB setup.exe
> directly rather than going to sourceforge.
> 
> I want to record some information about the site and installer in case
> it disappears.
> IP: 172.67.145.128
> Registrar: webnic.cc
> Registered On: 2022-10-20
> Nameservers: cloudflare
> Registrant Contact Information: unknown, Berlin, DE
> 
> The virustotal scan comes up mostly clean:
> https://www.virustotal.com/gui/file/15d333959c6bf4bc913a3526a7aae8855af60b08a2542ee245d18b79dc7eede5
> 
> I wouldn't be surprised if a malicious GNU Cash would not flag virus
> scanners because it wouldn't need to install a typical virus payload,
> it would just record account information and upload that somewhere.
> Note that the setup.exe is signed with a certificate issued to
> is-NHIDL.tmp. See the details on virustotal. After I uploaded the
> setup.exe to virustotal the phishing website changed to a placeholder
> site titled "Dot Com Inovations" showing events around Spokane.
> Strangely one of the recent posts on the placeholder site is titled
> "Beast: Plot, Cast, and Everything Else gnucash gnu cash gnu-cash We
> Know".
> 
> I created a virtual machine to run the installer in to see what it
> does. I did this after uploading to virustotal so it's possible the
> installer changed its behavior to hide its tracks. The setup.exe pops
> up a window saying it's downloading and downloads
> gnucash-4.12.setup.exe to %LOCALAPPDATA%\Temp, then runs it. This
> downloaded setup exe has the same SHA256 hash as the real one I just
> downloaded from sourceforge. It launches the downloaded installer
> which runs as four processes. One executes the installer out of \Temp,
> one executes it out of C:\ProgramData\, and two execute temp files
> from \Temp\is-NHIDL.tmp\gnucash-4.12.setup.tmp (1320KB). I'm not sure
> what was going on there, but I'm guessing that it patches the
> installer in-memory so the installer hash is unchanged. These files
> are deleted from Temp\ when the installer closes. I created a copy of
> Temp\ while the installer was running. The installed GnuCash looks
> normal. I'm not an experienced malware investigator so I don't know
> what else to do with it. If you have some ideas let me know and I may
> be able to help.
> 
> I reported the Google ad for being misleading and malicious. The ad
> may not stay around for long now that the site has gone into hiding,
> so I'm not sure what good it'll do.
> 
> I'm not sure what we can do to prevent this from happening in the
> future, but we should try. I'm not sure what we can do to contact
> people who may have downloaded the malicious installer. The setup.exe
> was signed on 2022-11-08 02:28:00 UTC, so it may have been up for a
> few weeks. I noticed that Google does not show ads for searches like
> "Nvidia Drivers" probably to avoid this kind of problem. Maybe we can
> convince them to do the same for GNU cash, but I'm not optimistic.
> 
> I'm going to contact DigiCert to tell them a cert they issued is being
> used to sign malware installers.
> _______________________________________________
> gnucash-user mailing list
> gnucash-user at gnucash.org
> To update your subscription preferences or to unsubscribe:
> https://lists.gnucash.org/mailman/listinfo/gnucash-user
> -----
> Please remember to CC this list on all your replies.
> You can do this by using Reply-To-List or Reply-All.