Magala is a click-fraud trojan infecting Windows computers. Once it has infected a device, it verifies which version of Internet Explorer is running and, if it is version 9 or higher, a virtual desktop is initialized and installs Map Galaxy, a browser toolbar that changes Internet Explorer's homepage to MyWay, a search engine that uses Google's search technology. The trojan uses a text file containing a list of words it receives from its C2 server to run search queries through MyWay. Once the search results load, Magala clicks on the first ten search results, including promotional ads. It is able to perform these actions through the native Windows IHTMLDocuments2 interface which allows apps to access web pages. Currently, most Magala infections occur in Germany and the US. The trojan has the potential to earn a threat actor $350 per affected device.

Technical Details

Securelist provides technical details on the Magala trojan, here.