[GNC] Phishing Website Google Search Ad

Tue Dec 13 20:19:49 EST 2022

Thank you Matthew for your sleuthing on this matter. I did also stumble on
this ad and website on Dec 9. There is another thread where we discussed it
as well. You can see it in the archive:
https://lists.gnucash.org/pipermail/gnucash-user/2022-December/thread.html#103825

 At this point it appears we were able to get the ad removed at least (so
it seems since it does no longer show) and others have attempted to also
contact the registrar to get the domain name cancelled (with limited
success so far). I did also submit the setup.exe file to virustotal and did
notice it had been submitted before -- evidently it was you. We didn't go
as far as setting up a virtualbox and investigating the file itself, so
thank you for doing that although it is still unclear what exactly this
file was supposed to do (and as you say virustotal doesn't report a whole
lot).

Sincerely,

Vincent Dawans

On Tue, Dec 13, 2022 at 11:32 AM Matthew Ickstadt <mattico8 at gmail.com>
wrote:

> I originally wrote and sent this on November 28, but I wasn't subscribed to
> the mailing list yet so I don't think it went through. Since then I have
> contacted DigiCert and they have revoked the code signing certificate.
> Original email follows.
>
> I saw a Google search ad for GNU Cash which is a malware/phishing
> attempt, I believe. See this screenshot: https://imgur.com/K3aeix7.png
>
> Note the hyphen in the ad URL. It was a clone of the GNU Cash website,
> except the windows download link downloads a 2,957KB setup.exe
> directly rather than going to sourceforge.
>
> I want to record some information about the site and installer in case
> it disappears.
> IP: 172.67.145.128
> Registrar: webnic.cc
> Registered On: 2022-10-20
> Nameservers: cloudflare
> Registrant Contact Information: unknown, Berlin, DE
>
> The virustotal scan comes up mostly clean:
>
> https://www.virustotal.com/gui/file/15d333959c6bf4bc913a3526a7aae8855af60b08a2542ee245d18b79dc7eede5
>
> I wouldn't be surprised if a malicious GNU Cash would not flag virus
> scanners because it wouldn't need to install a typical virus payload,
> it would just record account information and upload that somewhere.
> Note that the setup.exe is signed with a certificate issued to
> is-NHIDL.tmp. See the details on virustotal. After I uploaded the
> setup.exe to virustotal the phishing website changed to a placeholder
> site titled "Dot Com Inovations" showing events around Spokane.
> Strangely one of the recent posts on the placeholder site is titled
> "Beast: Plot, Cast, and Everything Else gnucash gnu cash gnu-cash We
> Know".
>
> I created a virtual machine to run the installer in to see what it
> does. I did this after uploading to virustotal so it's possible the
> installer changed its behavior to hide its tracks. The setup.exe pops
> up a window saying it's downloading and downloads
> gnucash-4.12.setup.exe to %LOCALAPPDATA%\Temp, then runs it. This
> downloaded setup exe has the same SHA256 hash as the real one I just
> downloaded from sourceforge. It launches the downloaded installer
> which runs as four processes. One executes the installer out of \Temp,
> one executes it out of C:\ProgramData\, and two execute temp files
> from \Temp\is-NHIDL.tmp\gnucash-4.12.setup.tmp (1320KB). I'm not sure
> what was going on there, but I'm guessing that it patches the
> installer in-memory so the installer hash is unchanged. These files
> are deleted from Temp\ when the installer closes. I created a copy of
> Temp\ while the installer was running. The installed GnuCash looks
> normal. I'm not an experienced malware investigator so I don't know
> what else to do with it. If you have some ideas let me know and I may
> be able to help.
>
> I reported the Google ad for being misleading and malicious. The ad
> may not stay around for long now that the site has gone into hiding,
> so I'm not sure what good it'll do.
>
> I'm not sure what we can do to prevent this from happening in the
> future, but we should try. I'm not sure what we can do to contact
> people who may have downloaded the malicious installer. The setup.exe
> was signed on 2022-11-08 02:28:00 UTC, so it may have been up for a
> few weeks. I noticed that Google does not show ads for searches like
> "Nvidia Drivers" probably to avoid this kind of problem. Maybe we can
> convince them to do the same for GNU cash, but I'm not optimistic.
>
> I'm going to contact DigiCert to tell them a cert they issued is being
> used to sign malware installers.
> _______________________________________________
> gnucash-user mailing list
> gnucash-user at gnucash.org
> To update your subscription preferences or to unsubscribe:
> https://lists.gnucash.org/mailman/listinfo/gnucash-user
> -----
> Please remember to CC this list on all your replies.
> You can do this by using Reply-To-List or Reply-All.
>