Pirated Software Used To Distribute Malware

 

Another persistent operation has now been discovered by researchers that employ a network of websites that function as a "dropper as a service" to distribute a package of malware payloads to users looking for a "cracked" version of the popular business and consumer programs. Such malware incorporates numerous sorts of click scam bots, data stealers, and sometimes even ransomware. 

The cyberattack operates by exploiting several WordPress-hosted lure pages containing "download" links to software applications, which, once clicked by the user, redirect the person to a third party website which distributes potentially unwanted browser plug-ins and malware, including installers for Raccoon Stealer, Stop ransomware, the Glupteba backdoor, and a wide range of malevolent cryptocurrency miners that pretend to be an antivirus software for the system. 

"Visitors who arrive on these sites are prompted to allow notifications; If they allow this to happen, the websites repeatedly issue false malware alerts," the Sophos researchers said. "If the users click the alerts, they're directed through a series of websites until they arrive at a destination that's determined by the visitor's operating system, browser type, and geographic location." 

Links to the web pages appear at the top of search results whenever a user searches for illegal copies of a comprehensive range of software apps using strategies such as search engine optimization. These actions, which are thought to be the result of an illicit marketplace for paid download services, enable entry-level cybercriminals to establish and customize operations depending on the geographic targeting. 

Traffic exchanges, as the allocation infrastructure is also known, generally require a Bitcoin payment before associates can start creating accounts and begin disseminating installers, with web pages like InstallBest providing advice on "best practices," like advising against the use of Cloudflare-based servers for downloaders, along with URLs within Discord's CDN, Bitbucket, or other cloud platforms. 

In addition, the researchers discovered several companies that, rather than providing their particular malware delivery networks, function as "go-betweens" to established malvertising networks that compensate website owners for traffic. 

Earlier in June, a cryptocurrency miner known as Crackonosh was discovered misusing the technique to download a coin miner software known as XMRig to silently compromise the affected host's resources to mine Monero. A month later, the criminals behind MosaicLoader malware were discovered targeting people looking for pirated software as part of an international attempt to install a fully-featured backdoor susceptible to hooking vulnerable Windows systems into a botnet.