What We Do
How We Do
Get Started

AdsExhaust, a Newly Discovered Adware Masquerading as the Oculus Installer

BY eSentire Threat Response Unit (TRU)

June 19, 2024 | 6 MINS READ


Threat Intelligence

Threat Response Unit

TRU Positive/Bulletin

Want to learn more on how to achieve Cyber Resilience?


Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.

We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware.

Our Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced Threat Analytics driven by our Threat Response Unit – the TRU team.

In TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We outline how we responded to the confirmed threat and what recommendations we have going forward.

Here’s the latest from our TRU Team…

What did we find?

In June 2024, the eSentire Threat Response Unit (TRU) identified adware, which we have dubbed AdsExhaust, being distributed through a fake Oculus installer application. The adware is capable of exfiltrating screenshots from infected devices and interacting with browsers using simulated keystrokes.

These functionalities allow it to automatically click through advertisements or redirect the browser to specific URLs, generating revenue for the adware operators.

The infection began when the user performed a web search for the Oculus application and visited the malicious page serving the adware. Upon clicking “Download Now,” the user will receive a ZIP archive containing the batch script named “oculus-app.EXE” (MD5: f089c37110f17041640910b0d49bfc5a).

The batch script is responsible for the following:

Figure 1: Initial Infection Chain

The backup.bat file is responsible for dropping additional scripts, such as VBS (Visual Basic Script) and PowerShell, to the host and creating more scheduled tasks for persistence (Figure 2). The files are dropped under the “AppData\Local\wespmail” path.

Figure 2: Scheduled tasks created

The scheduled tasks eventually lead to the execution of the PowerShell script (Figure 3). The PowerShell script runs in a continuous loop for 9 minutes while performing the following tasks:

Figure 3: Snippet of the PowerShell script containing the JSON data sent to the C2 server (comments are added for clarity)

AdsExhaust Main Payload

The response from the server contains the main PowerShell payload which is AdsExhaust adware. The AdsExhaust creates a mutex “Global\edgeuniqueprocess” to ensure that only one instance is running. It then checks if the Microsoft Edge browser is running and determines the last time a user input occurred.

If Edge is running and the system is idle and exceeds 9 minutes, the script can inject clicks, open new tabs, and navigate to URLs embedded in the script (Figure 4). It then randomly scrolls up and down the opened page.

This might be intended to trigger elements such as ads. AdsExhaust performs random clicks within specific coordinates on the screen. This could be done to target specific advertising areas.

Figure 4: Snippet of the URLs embedded in the script

If the adware detects mouse movement or user interaction, it closes the opened browser. It’s also worth noting that the adware captures a screenshot of the device and creates an overlay (Figure 5) to hide its activities and deceive the user about the system's real state.

Figure 5: Snippet that takes the screenshot and creates an overlay

If the Edge browser is already running, the adware searches for the word "Sponsored" in the currently opened tab and attempts to interact with it, simulating user interactions to fraudulently increase ad revenue through artificial clicks on sponsored ads.

The adware makes a web request to hxxp://us99[.]org/keywords.txt to fetch a list of keywords (the server appeared to be offline when writing this article). If the keyword is successfully retrieved, the adware launches Microsoft Edge, directing it to perform a Google search on the selected keyword via the following command:

AdsExhaust is an adware threat that cleverly manipulates user interactions and hides its activities to generate unauthorized revenue. It contains multiple techniques, such as retrieving malicious code from the C2 server, simulating keystrokes, capturing screenshots, and creating overlays to remain undetected while engaging in harmful activities.

What did we do?

Our team of 24/7 SOC Cyber Analysts isolated the affected host and notified the customer of suspicious activities.

What can you learn from this TRU Positive?

Recommendations from our Threat Response Unit (TRU):

We recommend implementing the following controls to help secure your organization against AdsExhaust:

Indicators of Compromise

You can access Indicators of Compromise here.

eSentire Unit
eSentire Threat Response Unit (TRU)

The eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your organization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7 Security Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. By providing complete visibility across your attack surface and performing global threat sweeps and proactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending your organization against known and unknown threats.

Read the Latest from eSentire