Adversaries may leverage IronSource’s PUA (Potentially Unwanted Application) distribution mechanism to deploy malicious payloads under the guise of legitimate apps. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential supply chain attacks and unauthorized app installations.
KQL Query
union DeviceFileEvents, DeviceProcessEvents
| where Timestamp > ago(7d)
// Prifou launched by ironSource bundler
| where ProcessCommandLine has "/mhp " and ProcessCommandLine has "/mnt "
and ProcessCommandLine has "/mds "
// InstallCore launch commands
or (ProcessCommandLine has "/mnl" and ProcessCommandLine has "rsf")
// Chromium installation
or ProcessCommandLine has "bundlename=chromium"
or FileName == "prefjsonfn.txt"
| project SHA1, ProcessCommandLine, FileName, InitiatingProcessFileName,
InitiatingProcessCommandLine, InitiatingProcessSHA1
id: 62bc4944-46dd-4c2f-ba04-72837bbfec3f
name: detect-prifou-pua
description: |
This query was originally published in the threat analytics report, ironSource PUA & unwanted apps impact millions.
IronSource provides software bundling tools for many popular legitimate apps, such as FileZilla. However, some of ironSource's bundling tools are considered PUA, because they exhibit potentially unwanted behavior. One component of these tools, detected by Microsoft as Prifou, silently transmits system information from the user. It also installs an outdated version of Chromium browser with various browser extensions, resets the user's home page, changes their search engine settings, and forces Chromium and itself to launch at startup.
The following query can be used to locate unique command-line strings used by ironSource bundlers to launch Prifou, as well as commands used by Prifou to install Chromium.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceFileEvents
- DeviceProcessEvents
tactics:
- Persistence
- Malware, component
query: |
union DeviceFileEvents, DeviceProcessEvents
| where Timestamp > ago(7d)
// Prifou launched by ironSource bundler
| where ProcessCommandLine has "/mhp " and ProcessCommandLine has "/mnt "
and ProcessCommandLine has "/mds "
// InstallCore launch commands
or (ProcessCommandLine has "/mnl" and ProcessCommandLine has "rsf")
// Chromium installation
or ProcessCommandLine has "bundlename=chromium"
or FileName == "prefjsonfn.txt"
| project SHA1, ProcessCommandLine, FileName, InitiatingProcessFileName,
InitiatingProcessCommandLine, InitiatingProcessSHA1
| Sentinel Table | Notes |
|---|---|
DeviceFileEvents | Ensure this data connector is enabled |
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job for updating IronSource SDKs
Filter/Exclusion: process.name != "ironSourceSDKUpdater" or process.parent.name != "java" (if the update is triggered via a Java-based tool)
Scenario: Admin task to deploy a legitimate app bundle using IronSource tools
Filter/Exclusion: process.name != "ironSourceAppBundleDeployer" or process.args != "--deploy --app=legitimate_app_id"
Scenario: System process using IronSource libraries for analytics tracking
Filter/Exclusion: process.name != "analyticsService" or process.parent.name != "com.ironsource.sdk" (if the process is known to be part of a legitimate app)
Scenario: Automated testing of a mobile app that includes IronSource integration
Filter/Exclusion: process.name != "mobileAppTestRunner" or process.args != "--test-iron-source-integration"
Scenario: Use of IronSource tools for app packaging in a CI/CD pipeline
Filter/Exclusion: process.name != "appPackager" or process.args != "--tool=ironSource" or process.parent.name != "jenkins"