Adware.Adposhel takes over your web push notifications administration

Credit to Author: Pieter Arntz| Date: Thu, 06 Feb 2020 18:10:02 +0000

Since late last year our researchers have been monitoring a new method concerning web push notifications being deployed by an adware family detected by Malwarebytes as Adware.Adposhel.

What does Adware.Adposhel change?

The adware uses Chrome policies to ensure that notification prompts will be shown and add some of their own domains to the list of sites that are allowed to push web notifications. So far not very new. The recent twist however is that it enforces these settings as an administrator. This is done so the regular Chrome user will not be able to change the settings in the Notifications menu.

It seems they have now decided to fully deploy this tactic as we are seeing complaints about it emerging on computer forums and Reddit.

Victims will complain about being unable to remove domains from the list of domains that are allowed to show web push notifications and being unable to change the setting that controls whether websites can ask you to allow notifications.

default setting controlled by administrator

Disabling that setting would stop a user from seeing prompts like these:

notifications prompt

If I were to click Allow on that prompt this domain would be added to my allow list of URLs, but with the understanding that I would be able to remove it manually in the Notifications menu.

Adware.Adposhel uses the NotificationsAllowedForUrls policy to block users from removing their entries from the Allow list.

Where you would normally see the three dots (ellipsis) menu icon representing the settings menu.

settings menu

For the entries submitted to a policy by Adware.Adposhel you will see the icon that tells you the setting is enforced by an administrator. And the accompanying text if you hover over the icon.

setting enforced by administrator

How do I undo the changes made by Adware.Adposhel?

This does not mean that you can change that setting just because you are the administrator of the system you are working on by the way. But if you are the system administrator you can fix the notifications changes made by the Adposhel installer by applying a simple registry fix:

Windows Registry Editor Version 5.00  [HKEY_LOCAL_MACHINESOFTWAREPoliciesGoogleChrome] "DefaultNotificationsSetting"=dword:00000001  [-HKEY_LOCAL_MACHINESOFTWAREPoliciesGoogleChromeNotificationsAllowedForUrls] 

This is safe to do unless there were legitimate URLs in the list of URLs that are allowed to show notifications by policy, which I doubt. But we always advise to create a backup of the registry before making any changes.

 Backing up Registry with ERUNT

Modifying the registry may create unforeseen results, so we always recommend creating a backup prior to doing that!

Please download ERUNT and save the file to the desktop.

  • Install ERUNT by following the prompts, but say No to the portion that asks you to add ERUNT to the startup folder.
  • Right-click on the   icon and select   Run as Administrator to start the tool.
  • Leave the default location (C:WINDOWSERDNT) as a place for your backup.
  • Make sure that System registry and Current user registry are ticked.
  • The third option Other open users registries is optional.
  • Press OK to backup and then press YES to create the folder.

This tool won’t generate any report.
You may uninstall it after we’re done with the cleaning.

Protection and detection

Malwarebytes detects the installers as Adware.Adposhel.

Malwarebytes blocks Adware.Adposhel

The URLs enforced by this Adpohel induced Chrome policy are detected as Adware.ForcedNotifications.ChrPRST.

ForcedNotifications detections

IOCs

Domains:

aclassigned.info chainthorn.com cityskyscraper.com concreasun.info dimlitroom.com durington.info efishedo.info enclosely.info insupposity.info nineteducer.info oncreasun.info parliery.info qareaste.info stilysee.info suggedin.info 

Stay safe everyone!

The post Adware.Adposhel takes over your web push notifications administration appeared first on Malwarebytes Labs.

https://blog.malwarebytes.com/feed/

Leave a Reply