Magala Trojan Uses Virtual Desktops to Secretly Click on Search Results Ads

Share this…

A new click-fraud trojan is infecting Windows computers and using virtual desktops to click on ads in search results to earn a profit for its creator(s).

Discovered by Kaspersky Lab researcher Sergey Yunakovsky and named Magala, this trojan targets only Windows computers that have a version of Internet Explorer 9 or higher.

Magala runs search engine queries and clicks on ads

Magala’s main function is to initialize a virtual desktop and install Maps Galaxy, a browser toolbar that changes IE’s homepage to MyWay (, a search engine that uses Google’s search technology.

The trojan then contacts a command-and-control (C&C) server, from where it downloads a text file containing a list of words. Magala will take these words and run search queries through the MyWay website that was added as Internet Explorer’s homepage.

After the search results are loaded, Magala will parse the page and click on the first ten search results, some of which are promoted ads.

Magala executes all these actions via the native Windows IHTMLDocument2 interface, a mechanism that allows apps to access web pages.

Magala can earn around $350 from each infected PC

Magala’s actions earn the crook a profit every time an infected host clicks on promoted ads.

“As far as we know, an average cost per click (CPC) in a campaign like this is 0.07 USD. The cost per thousand (CPM) comes to 2.2 USD,” says Yunakovsky.

“A botnet consisting of 1000 infected computers clicking 10 website addresses from each search result and performing some 500 search requests with no overlaps in the search results could ideally mean the virus writer earns up to 350 USD from each infected computer. However, these cost estimates are only approximations, and don’t typically occur in the real world.”

IE toolbar firm attempting to track down Magala author

According to Lawrence Abrams, the owner of and researcher behind many of its virus removal guides, the Magala trojan was seen as far back as January 2017. At that time, Abrams discovered the Trojan being installed via adware bundles that would install it without the knowledge of the victim.

When first discovered, Abrams reached out to IAC Apps, the creator of the MapsGalaxy Toolbar, to alert them of the behavior of this Trojan. In discussions with IAC, information was given to help them track down the possible actor, but no further resolution was provided by IAC to BleepingComputer.

Malware such as Magala doesn’t cause direct harm to the users it infects other than computer CPU and memory utilization, but to companies that pay large sums of money to online advertising firms to promote themselves, but get useless bot traffic in return.