Magala

Magala is a computer Trojan that is designed to accumulate profit for its developers by connecting users to a botnet and clicking on advertisements. Magala belongs to the category of Trojan clickers, which are used to click on sponsored search results, ads and promotions via compromised machines. The Magala Trojan functions similarly to the Buoveco, Libie and FaceLiker threats we have recorded in the past. The Magala malware emerged with cyber security reports in the second week of July 2017. As mentioned, earlier, Magala performs machine clicks on ads to generate revenue. The pool of victims is compromised by regular PC users and office workers who did not implement updates to the software they were using.

The Attack Vector for Magala

Threat actors are known to exploit vulnerabilities in browsers like Google Chrome, Internet Explorer, and Mozilla Firefox, as well as plug-ins like Java and Adobe Flash. That allows them to spread the Magala Trojan to many vulnerable systems and create a botnet of the infected devices. Once it is installed, Magala creates a virtual desktop space that is displayed to the PC user. It should be noted that the Magala requires integration with the Internet Explorer version 8 and above. If Magala does not find an appropriate version, it would terminate itself and delete its traces on the PC. Initial threat analysis revealed that the Magala Trojan downloads and installs the MapsGalaxy Toolbar (Free.MapsGalaxy.com) by Mindspark Interactive Network, Inc. and modifies the Registry so that the page hxxp://hp.myway.com/mapsgalaxy/ttab02/index.html is loaded as a homepage, default search provider or new tab.

How is Magala Making Money for Its Developers?

Magala takes advantage of the MyWay search service that powers the MapsGalaxy Toolbar and can be found on Int.search.myway.com. The MyWay search aggregator is implemented in many applications by Mindspark and serves as a way to monetize free browser extensions produced by the company. Web surfers that use Int.search.myway.com help Mindspark earn pay-per-view and pay-per click revenue from advertisers. That is the core functionality that is exploited by the Magala team. The threat connects to 'Command and Control' servers and downloads a plain text file with search terms that are monetized via MyWay. The keywords are loaded by Magala on hp.myway.com/mapsgalaxy/ttab02/ and the Trojan clicks on the first ten links generated by the MyWay search engine. Each click is performed 10 seconds later from the last one with the aim to limit the chance of being recognized as a machine generated click on Int.search.myway.com.

How Much is Magala Expected to Make Per Day?

At the time of research, a cost per click or CPC might earn 0.07 USD, and for every thousand clicks, Magala produces 2.2 USD. You would be right to question if there is any profit to gain from supporting Magala. Imagine if you have around one thousand computers running Magala, which should bring the goal of the malware authors into focus. The power of Magala is its potential to use hundreds of computers and accumulate a significant profit. Some computer security researchers suggest that the Magala network may be able to produce 350 USD per infected machine if the clicks are organized properly. Fortunately, cyber security providers have created virus signatures and rules to detect the Magala Trojan Clicker. You should run a reputable security suite and keep your Web browser and plug-ins up-to-date. AV engines may flag the files related to Magala and show alerts featuring the following names:

• BehavesLike.Win32.BrowseFox.dh
• TROJ_GEN.R0ADC0DEJ17
• TrojWare.Win32.TrojanClicker.Agent.NYY
• Trojan.DownLoader23.56788
• Trojan.Dynamer!8.3A0 (cloud:a9X7nYV600U)
• Trojan.Generic.atwpa
• Trojan.Zusy.D35D9E
• UDS:DangerousObject.Multi.Generic
• W32/S-496708b8!Eldorado
• Win32.Trojan.WisdomEyes.16070401.9500.9931
• a variant of Win32/TrojanClicker.Agent.NYY