|
| 1 | +# Detect potentially unwanted activity from ironSource bundlers |
| 2 | + |
| 3 | +This query was originally published in the threat analytics report, *ironSource PUA & unwanted apps impact millions*. |
| 4 | + |
| 5 | +IronSource provides software bundling tools for many popular legitimate apps, such as FileZilla. However, some of ironSource's bundling tools are considered PUA, because they exhibit potentially unwanted behavior. One component of these tools, detected by Microsoft as *Prifou*, silently transmits system information from the user. It also installs an outdated version of Chromium browser with various browser extensions, resets the user's home page, changes their search engine settings, and forces Chromium and itself to launch at startup. |
| 6 | + |
| 7 | +The following query can be used to locate unique command-line strings used by ironSource bundlers to launch Prifou, as well as commands used by Prifou to install Chromium. |
| 8 | + |
| 9 | +## Query |
| 10 | + |
| 11 | +```Kusto |
| 12 | +union DeviceFileEvents, DeviceProcessEvents |
| 13 | +| where Timestamp > ago(7d) |
| 14 | +// Prifou launched by ironSource bundler |
| 15 | +| where ProcessCommandLine has "/mhp " and ProcessCommandLine has "/mnt " |
| 16 | +and ProcessCommandLine has "/mds " |
| 17 | +// InstallCore launch commands |
| 18 | +or (ProcessCommandLine has "/mnl" and ProcessCommandLine has "rsf") |
| 19 | +// Chromium installation |
| 20 | +or ProcessCommandLine has "bundlename=chromium" |
| 21 | +or FileName == "prefjsonfn.txt" |
| 22 | +| project SHA1, ProcessCommandLine, FileName, InitiatingProcessFileName, |
| 23 | +InitiatingProcessCommandLine, InitiatingProcessSHA1 |
| 24 | +``` |
| 25 | + |
| 26 | +## Category |
| 27 | + |
| 28 | +This query can be used to detect the following attack techniques and tactics ([see MITRE ATT&CK framework](https://attack.mitre.org/)) or security configuration states. |
| 29 | + |
| 30 | +| Technique, tactic, or state | Covered? (v=yes) | Notes | |
| 31 | +|-|-|-| |
| 32 | +| Initial access | | | |
| 33 | +| Execution | | | |
| 34 | +| Persistence | v | | |
| 35 | +| Privilege escalation | | | |
| 36 | +| Defense evasion | | | |
| 37 | +| Credential Access | | | |
| 38 | +| Discovery | | | |
| 39 | +| Lateral movement | | | |
| 40 | +| Collection | | | |
| 41 | +| Command and control | | | |
| 42 | +| Exfiltration | | | |
| 43 | +| Impact | | | |
| 44 | +| Vulnerability | | | |
| 45 | +| Misconfiguration | | | |
| 46 | +| Malware, component | v | | |
| 47 | + |
| 48 | +## Contributor info |
| 49 | + |
| 50 | +**Contributor:** Microsoft Threat Protection team |
0 commit comments