A new DealPly variant which abuses Microsoft’s SmartScreen API to avoid detection was discovered by security researchers.
What is DealPly and how it works?
If you didn’t know already, DealPly is an adware strain that installs browser extensions on your browser and displays advertisements. To remain undetected, it abuses Microsoft’s reputation services.
Here’s how enSilo’s research team, who discovered the intrusion, describes it:
Besides of modular code, machine fingerprinting, VM detection techniques and robust C&C infrastructure, the most intriguing discovery was the way DealPly abuses Microsoft and McAfee reputation services to remain under the radar.
It does that by taking advantage of infected Windows 10 PCs and using them to further distribute the infection.
DealPly uses JSON-based API requests, then sends info to SmartScreen’s reputation server, waits for the response and when it gets it, it collects data and sends it back to DealPly’s C2 server.
I’m not using Windows 10. Could DealPly affect me?
It’s worth mentioning that DealPly has support for multiple versions of the undocumented SmartScreen API. This means that it has the ability to infect multiple Windows versions, not just Windows 10, as researchers explain:
It is important to note that the SmartScreen API is undocumented. This means the author has put a lot of effort in reverse engineering the inner workings of the SmartScreen mechanismfeature.