New Extenbro DNS Changer Trojan Blocks Security Domains (Jul 16, 2019)
“Extenbro” is a newly discovered DNS-changing trojan that blocks users from accessing security sites to prevent them from downloading antivirus software. Malwarebytes Labs uncovered the trojan hidden within an adware bundler that is publicly available for download. When installed, a scheduled task will be created that automatically launches the trojan on startup. The trojan then will disable IPv6 on all compromised machines to make sure that the victims do not circumvent the attacker-controlled DNS servers. After an infected user finds and removes all rogue DNS servers added to their network settings, the malware will re-add them after a system restart since it also adds a randomly named scheduled task for this specific purpose during the infection stage. Malwarebytes has created a removal guide that is available in their forums page.
Recommendation: It is important to note that Extenbro is typically bundled with and installed with free programs that do not adequately disclose that other software may be installed along with it. Therefore, it is important that you pay close attention to license agreements and installation screens when installing anything off of the Internet. If an installation screen offers you custom installation options, it is a good idea to select these as they will typically disclose what other 3rd party software will also be installed. Furthermore, If the license agreement or installation screens state that they are going to install a toolbar or other unwanted adware, it is advised that you immediately cancel the install and not use the free software.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.