Researchers have found an ongoing malware campaign that uses a network of websites acting as a “dropper as a service” to deliver malware to victims looking for “cracked” versions of popular software.
These websites bundle up a variety of malware together in a single dropper. They include “an assortment of clickfraud bots, other information stealers, and even ransomware.”
Network Targets People Looking for Cracked Software
Cybersecurity firm Sophos published a report last week detailing the malware campaign. It stated that the campaign uses a network of bait pages that claim to provide “cracked” versions of popular software, including antivirus software.
These pages are hosted on WordPress and contain download links to software packages. When a user clicks on a download link, it redirects them to a different website that delivers unwanted plug-ins and malware.
This includes installers for Raccoon Stealer, Stop Ransomware, the Glupteba backdoor, and cryptocurrency miners disguised as antivirus solutions.
How Does it Work?
Sophos said that most of the bait pages are hosted on WordPress blog platforms. These platforms contain download buttons that either lead the victim to a download site that hosts a malware package, or to browser plugins or applications considered unwanted.
These sites prompt visitors to allows notifications. Doing so triggers false malware alerts. If a user clicks on the alert, they are directed through a series of websites, before finally landing at a destination determined by the user’s operating system, browser type, and geographic location.
The downloads contain “a variety of unwanted applications and malware.”
In the course of their research, Sophos downloaded Raccoon Stealer, Stop Ransomware, the Glupteba backdoor, and a range of malicious cryptocurrency miners. Ironically, much of the malware came from droppers disguised as antivirus installers.
It’s a well-executed campaign. The websites use search engine optimization techniques to appear at the top of search results when users look for pirated software.
Traffic Exchanges and Malware Middlemen
Campaigns of this nature come from underground marketplaces, known as Traffic Exchanges, for paid download services. They allow entry-level cybercriminals to set up and and tailor their campaigns based on geographical targeting.
Traffic exchanges usually require a Bitcoin payment before affiliates can set up their account and begin distributing installers. The report uses the example of InstallBest, an exchange hosted in Russia. InstallBest provides information on how to get started, and offers advice on best practices.
Additionally, researchers found a number of services that act as malware intermediaries. Instead of offering their own malware delivery networks, they connect parties to established traffic suppliers. They found that InstallUSD, a Pakistan-based advertising network, has ties to several malware campaigns on “cracked” software sites.
For more information on malware droppers, check out our detailed resource on Trojans.