I originally wrote and sent this on November 28, but I wasn't subscribed to the mailing list yet so I don't think it went through. Since then I have contacted DigiCert and they have revoked the code signing certificate. Original email follows.
I saw a Google search ad for GNU Cash which is a malware/phishing attempt, I believe. See this screenshot: https://imgur.com/K3aeix7.png Note the hyphen in the ad URL. It was a clone of the GNU Cash website, except the windows download link downloads a 2,957KB setup.exe directly rather than going to sourceforge. I want to record some information about the site and installer in case it disappears. IP: 172.67.145.128 Registrar: webnic.cc Registered On: 2022-10-20 Nameservers: cloudflare Registrant Contact Information: unknown, Berlin, DE The virustotal scan comes up mostly clean: https://www.virustotal.com/gui/file/15d333959c6bf4bc913a3526a7aae8855af60b08a2542ee245d18b79dc7eede5 I wouldn't be surprised if a malicious GNU Cash would not flag virus scanners because it wouldn't need to install a typical virus payload, it would just record account information and upload that somewhere. Note that the setup.exe is signed with a certificate issued to is-NHIDL.tmp. See the details on virustotal. After I uploaded the setup.exe to virustotal the phishing website changed to a placeholder site titled "Dot Com Inovations" showing events around Spokane. Strangely one of the recent posts on the placeholder site is titled "Beast: Plot, Cast, and Everything Else gnucash gnu cash gnu-cash We Know". I created a virtual machine to run the installer in to see what it does. I did this after uploading to virustotal so it's possible the installer changed its behavior to hide its tracks. The setup.exe pops up a window saying it's downloading and downloads gnucash-4.12.setup.exe to %LOCALAPPDATA%\Temp, then runs it. This downloaded setup exe has the same SHA256 hash as the real one I just downloaded from sourceforge. It launches the downloaded installer which runs as four processes. One executes the installer out of \Temp, one executes it out of C:\ProgramData\, and two execute temp files from \Temp\is-NHIDL.tmp\gnucash-4.12.setup.tmp (1320KB). I'm not sure what was going on there, but I'm guessing that it patches the installer in-memory so the installer hash is unchanged. These files are deleted from Temp\ when the installer closes. I created a copy of Temp\ while the installer was running. The installed GnuCash looks normal. I'm not an experienced malware investigator so I don't know what else to do with it. If you have some ideas let me know and I may be able to help. I reported the Google ad for being misleading and malicious. The ad may not stay around for long now that the site has gone into hiding, so I'm not sure what good it'll do. I'm not sure what we can do to prevent this from happening in the future, but we should try. I'm not sure what we can do to contact people who may have downloaded the malicious installer. The setup.exe was signed on 2022-11-08 02:28:00 UTC, so it may have been up for a few weeks. I noticed that Google does not show ads for searches like "Nvidia Drivers" probably to avoid this kind of problem. Maybe we can convince them to do the same for GNU cash, but I'm not optimistic. I'm going to contact DigiCert to tell them a cert they issued is being used to sign malware installers. _______________________________________________ gnucash-user mailing list [email protected] To update your subscription preferences or to unsubscribe: https://lists.gnucash.org/mailman/listinfo/gnucash-user ----- Please remember to CC this list on all your replies. You can do this by using Reply-To-List or Reply-All.
