Making victims pay, infostealer malwares mimick pirated-software download sites

Summary:

Threat actors distributing infostealers are gaining momentum by targeting victims seeking to illegally download pirated software. Because obtaining and using pirated software is against the law, many individuals partaking in this type of behavior suspend proper scrutiny for the source of their download. As a result, whether they are good or bad people, victims across the world are paying the price with their private information for a single bad decision.

Discover the techniques being used to distribute these threats and unravel the infection chain from two different examples to understand how these malware developers operate and use the latest techniques to avoid detection.

 

Introduction:

It has been over 20 years since the launch of Napster taught the internet how to get and share digital content online, and nearly a decade since the resilient Pirate Bay torrent site began enabling visitors to find and download stolen media and unlocked or ‘cracked’ versions of software. All these years later, in spite of many lawsuits and injunctions it is still extremely common for people to download pirated software from shady shareware sites instead of buying licenses for noncommercial purposes. Today, we typically see sites hosting cracked softwares like Microsoft Office and Windows installers appearing in indexed Google search results and ad banners. 

Recently, the Zscaler ThreatLabz researchers discovered multiple ongoing threat campaigns distributing info-stealer malware by targeting victims trying to download pirated software applications. The screenshot in Fig. 1 shows Google search results featuring these fake sites that look just like the real pirate hosting sites. Part of what makes this type of threat so successful is that it targets individuals participating in an illegal yet common activity, as such many of the users can’t identify the intent behind one makeshift pop-up site peddling illegal software downloads vs. another one hosting malware downloads. The sections that follow provide a detailed technical analysis of two different active infostealer infection chains that fall into this category. 

 

Fig 1. Fake shareware sites indexed on Google search

 

Technical Analysis Case 1

Stage 1: Redirection and Infostealer Malware Distribution

When users visit fake shareware sites and click to download, they immediately experience multiple redirects that obfuscate the process for detection by search engines, scanners, and victims, and finally deliver them to a malicious site hosting the threat actor’s intended content - an infostealer malware like the one featured in  Fig 2 below. While this process may raise eyebrows on a verified site, visitors on these back channel sites may assume that this sleight-of-hand is a normal part of how shareware sites operate.

Fig 2. Infection vector

 

After arriving at the final destination and finishing the download, the final payload received in this sample is a zip archive file <10 MB in size. In this case, the malware-hosting URL is an open directory containing more than 3000 malicious zip archive files masquerading as common types of cracked software, as shown in the Fig 3 snippet below.

Fig 3. Web directory containing thousands of malware laced zip files

 

The malware distribution pattern our researchers observed is not consistent, but we did discover that trusted sites like Mediafire as shown in Fig. 4 below, and Discord are also being used to host malware in several different campaigns.

 

Fig 4. Redirected landing phishing page 

 

Stage 2: Loader

The downloaded file is a compressed archive file that contains a password-protected zip archive and a text file disguised to contain stored passwords.

 

Fig 5. Password and Archive file

 

The password-protected zip file further contains a zip file named setup.zip of size 1.3 MB. Extracting the zip archive reveals a 0x20 and 0x00 byte padded executable file just over600 MB in size as shown in Fig. 5 below. 

 

Fig 5. File padded with irrelevant bytes

 

ThreatLabz researchers found that the padded bytes were irrelevant to running the sample file and determined that threat actor included them to evade detection by security engines. The file also contains Anti-VM and Anti-Debug checks. Following this the dumping process removes irrelevant bytes dropping the file size in this sample down from 600MB to 78 KB, as shown in Fig 6 below.

 

Fig 6: Actual file size after dumping the process

 

Once the file is executed it spawns an encoded PowerShell command that launches a cmd.exe process with a timeout of 10 secs. This timeout period is added for evading automated sandbox analysis tools. The decoded PowerShell command looks like this:

(Start-Sleep-s10;Remove-Item-Path"C:\Users\User\Desktop\Setupfinal.exe"-Force)

Once the timeout period is over the loader connects to the remote server requesting a jpg file named ‘windows.decoder.manager.form.fallout15_Uwifqzjw.jpg’, as shown in Fig. 7 below.

 

Fig 7: Loader downloading requested jpg file from the remote server

 

The downloaded jpg file looks like it is encrypted but opening it with an editor reveals that the contents are simply stored in reverse order and once the content is reversed by the malicious program, it transforms into a DLL file.

 

Stage 3: Redline Stealer

The DLL payload contains a RedLine Stealer malware that targets your stored browser history, it is obfuscated with a crypter and compiled into memory by the loader. The loader loads the DLL and replaces it with the current thread context.

This RedLine Stealer sample is designed to steal stored browser passwords, auto-complete data including credit card information, and cryptocurrency files and wallets. The implications for an unsuspecting victim trying to save money on a program they may barely intend to use can be severe resulting in financial losses, identity theft, and other forms of fraud and extortion.

 

Technical Analysis Case 2

ThreatLabz researchers also observed fake shareware sites distributing instances of the RecordBreaker Stealer malware delivered without the use of any legitimate file hosting services by instead using malware packer tools like Themida, VMprotect, and MPRESS, as found in the sample packed with Themida shown in Fig. 8 below.

 

Fig 8: Files packed with Themida/VMprotect 

 

Malware authors typically use packers and protectors for compression and to wrap the software in an extra layer of disguised code to evade detection. Packers are also growing in popularity for the anti-VM and anti-debugging techniques they offer which allow the malware to effectively navigate the system, avoid detection, and run more smoothly, as shown in the screenshots featured in Fig. 9-10 below.

 

Fig 9: API calls used for anti-debugging techniques using FindWindow API

 

Fig 10: Message box displayed to close security tools

 

After execution, the malware in this sample communicates with the C2 server and sends back the machine ID and config ID before downloading its required libraries from the remote server.

 

Fig 11: Communication with C2 server

The examined instance of RecordBreaker is designed to steal browser information from extensions, including: MetaMask, TronLink, BinanceChain, Ronin, MetaMask, MetaX, XDEFI, WavesKeeper, Solflare, Rabby, CyanoWallet, Coinbase, AuroWallet, KHC, TezBox, Coin98, Temple, ICONex, Sollet, CloverWallet, PolymeshWallet, NeoLine, Keplr, TerraStation, Liquality, SaturnWallet, GuildWallet, Phantom, TronLink, Brave, MetaMask, Ronin, MEW_CX, TON, Goby and TON using extension IDs provided from the C2 server, like the examples shown below. 

 

ejbalbakoplchlghecdalmeeeajnimhm;(MetaMask)

ibnejdfjmmkpcnlpebklmnkoeoihofec;(TronLink)

fhbohimaelbohpjbbldcngcnapndodjp;(BinanceChain)

fnjhmkhhmkbjkkabndcnnogagogbneec;(Ronin)

kjmoohlgokccodicjjfebfomlbljgfhk;(Ronin)

nkbihfbeogaeaoehlefnkodbefgpgknn;(MetaMask)

mcohilncbfahbmgdjkbpemcciiolgcge;(MetaX)

hmeobnfnfcmdkdcmlblgagmfpfboieaf;(XDEFI)

lpilbniiabackdjcionkobglmddfbcjo;(WavesKeeper)

bhhhlbepdkbapadjdnnojkbgioiodbic;(Solflare)

acmacodkjbdgmoleebolmdjonilkdbch;(Rabby)

dkdedlpgdmmkkfjabffeganieamfklkm;(CyanoWallet)

hnfanknocfeofbddgcijnmhnfnkdnaad;(Coinbase)

cnmamaachppnkjgnildpdmkaakejnhae;(AuroWallet)

hcflpincpppdclinealmandijcmnkbgn;(KHC)

mnfifefkajgofkcjkemidiaecocnkjeh;(TezBox)

aeachknmefphepccionboohckonoeemg;(Coin98)

ookjlbkiijinhpmnjffcofjonbfbgaoc;(Temple)

flpiciilemghbmfalicajoolhkkenfel;(ICONex)

fhmfendgdocmcbmfikdcogofphimnkno;(Sollet)

nhnkbkgjikgcigadomkphalanndcapjk;(CloverWallet)

jojhfeoedkpkglbfimdfabpdfjaoolaf;(PolymeshWallet)

cphhlgmgameodnhkjdmkpanlelnlohao;(NeoLine)

dmkamcknogkgcdfhhbddcghachkejeap;(Keplr)

ajkhoeiiokighlmdnlakpjfoobnjinie;(TerraStation)

aiifbnbfobpmeekipheeijimdpnlpgpp;(TerraStation)

kpfopkelmapcoipemfendmdcghnegimn;(Liquality)

nkddgncdjgjfcddamfgcmfnlhccnimig;(SaturnWallet)

nanjmdknhkinifnkgdcggcfnhdaammmj;(GuildWallet)

bfnaelmomeimhlpmgjnjophhpkkoljpa;(Phantom)

ibnejdfjmmkpcnlpebklmnkoeoihofec;(TronLink)

odbfpeeihdkbihmopkbjmoonfanlbfcl;(Brave)

ejbalbakoplchlghecdalmeeeajnimhm;(MetaMask)

kjmoohlgokccodicjjfebfomlbljgfhk;(Ronin)

nlbmnnijcnlegkjjpcfjclmcfggfefdm;(MEW_CX) 

cgeeodpfagjceefieflmdfphplkenlfk;(TON)

jnkelfanjkeadonecabehalmbgpfodjm;(Goby)

nphplpgoakhhjchkkhmiggakijnkhfnd;(TON)

 

After running, the gathered system information and installed application information is sent back to the C2 server.

Fig 12: Stealing system and installed software information 

 

This malware can also send screenshots back to the C2 server, as shown below in the post-transaction relaying desktop screenshot.

 

Fig 13: Screenshot sent back to C2 server

 

RecordBreaker leaves nothing untapped, also collecting cookies from across the victims different browsers and sending them back to the C2 server, as shown in Fig 14 below

Fig 15: Stealing browser cookies 

 

Sample downloaded files

45.150.67[.]175/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/nss3.dll

45.150.67[.]175/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/msvcp140.dll

45.150.67[.]175/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/vcruntime140.dll

45.150.67[.]175/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/mozglue.dll

45.150.67[.]175/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/freebl3.dll

45.150.67[.]175/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/softokn3.dll

45.150.67[.]175/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/sqlite3.dll

45.150.67[.]175/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/nssdbm3.dll

94.158.244[.]119/U4N9B5X5F5K2A0L4L4T5/84897964387342609301.bin

 

Conclusion:

This campaign highlights how attackers take advantage of users’ behavior through the distribution of pirated software to spread infostealer malware and extort victims for financial profits and other gains.  The campaigns analyzed in this article depend on users visiting and downloading software from unscrupulous websites as the initial infection vector, users can easily prevent these unfortunate infections by avoiding this illegal practice and only visiting legitimate sites and downloading software from trustworthy sources.

 

Best Practices:

• Avoid visiting untrusted sites including those that host pirated software
• Do not install pirated software on your device
• Enable policy to block password-protected files
• Do not save credentials in the browser

 

Zscaler Cloud Sandbox Detection:

 

IOCs

These are the malicious indicators involved in this campaign, MD5s are not listed because the password-protected zip files involved generate a new MD5 with each download transaction.

 

Malicious IPs:

45[.]150[.]67[.]175

94[.]158[.]244[.]119

45[.]135[.]134[.]211

194[.]180[.]174[.]180

185[.]250[.]148[.]76

37[.]221[.]67[.]219

45[.]140[.]146[.]169

94[.]140[.]114[.]231

94[.]158[.]244[.]213

45[.]142[.]212[.]100

194[.]180[.]174[.]187

194[.]180[.]174[.]186

135[.]181[.]105[.]89

77[.]91[.]102[.]88

77[.]91[.]103[.]31

94[.]158[.]247[.]24

85[.]239[.]34[.]235

45[.]67[.]34[.]234

45[.]67[.]34[.]238

45[.]142[.]215[.]92

45[.]153[.]230[.]183

45[.]152[.]86[.]98

74[.]119[.]193[.]57

77[.]91[.]74[.]67

146[.]19[.]247[.]28

77[.]91[.]102[.]115

45[.]159[.]251[.]21

146[.]19[.]247[.]52

45[.]142[.]215[.]50

45[.]133[.]216[.]170

193[.]43[.]146[.]22

193[.]43[.]146[.]26

146[.]70[.]124[.]71

193[.]43[.]146[.]17

146[.]19[.]75[.]8

45[.]84[.]0[.]152

45[.]133[.]216[.]249

45[.]67[.]34[.]152

45[.]133[.]216[.]145

 

Fake shareware download sites:

fullcrack4u[.]com

activationskey[.]org

xproductkey[.]com

saifcrack[.]com

crackedpcs[.]com

allcracks[.]org

aryancrack[.]com

prolicensekeys[.]com

apps-for-pc[.]com

bagas3-1[.]com

seostar2[.]xyz

keygenwin[.]com

cloud27[.]xyz

allpcsoftwares[.]info

deepprostore[.]com

serialfull[.]info

steamunlocked[.]one

file-store2[.]xyz

reallkeys[.]com

fullcrackedz[.]com

softwaresdaily[.]com

officials-kmspico[.]com

hotbuckers[.]com

mycrackfree[.]com

procfullcracked[.]com

idmfullcrack[.]info

drake4[.]xyz

crackedsofts[.]info

getintopc[.]digital

piratespc[.]net

apxsoftwares[.]com

crackfullpro[.]com

allcrackhere[.]info

kuyhaa-me[.]pw

crackplaced[.]com

freepccrack[.]com

proapkcrack[.]com

crackfullpc[.]com

Free-4paid[.]com

crackedlink[.]com

crackpropc[.]com

cracktube[.]net

getmacos[.]org

getwindowsactivator[.]info

playzipgames[.]co

proactivationkey[.]com

procrackfree[.]com

showcrack[.]com

 

Redirected Malicious NRD domains:

file-store2[.]xyz

seostar2[.]xyz

drake4[.]xyz

cloud27[.]xyz

kirov1[.]xyz

unixfilesystem2[.]xyz

file-store4[.]xyz

cloud25[.]xyz

clubfiletyc[.]com

ihgatms[.]cfd

notbeexcluded[.]cfd

andslideasco[.]cfd

sonarsurveyof[.]cfd

butvelocities[.]cfd

herihed[.]cfd

largerinscale[.]cfd

itsdebri[.]cfd

lditsdebriisar[.]cfd

eeorderso[.]cfd

psestwotothr[.]cfd

uptomscan[.]cfd

fmagnitude[.]cfd

byasdebrisfie[.]cfd

ticlewesimulate[.]cfd

ergyfrommo[.]cfd

sup7podthee[.]cfd

heirreplacem[.]cfd

hthecrown[.]cfd

entbymo[.]cfd

ctswasprimarilyd[.]cfd

adsharedwi897th[.]cfd

mershadclo[.]cfd

aptersandt[.]cfd

nkstherefor[.]cfd

iruiotish[.]cfd

itishindia[.]cfd

theyt786ku[.]cfd

theritishind[.]cfd

edbythe67ak[.]cfd

panyruld[.]cfd

uslimsofbr[.]cfd

sputrey567rik[.]cfd

shatheg[.]cfd

istanmove[.]cfd

menhichs[.]cfd

upta16theu[.]cfd

andelect[.]cfd

oughtme[.]cfd

ionvictoriesin[.]cfd

anwasthere[.]cfd

ateofakist[.]cfd

egiontheh[.]cfd

ahthegha[.]cfd

mayyadc[.]cfd

emodernst[.]cfd

almofmultiple[.]cfd

ofth546ebr[.]cfd

znavidsde[.]cfd

mprisesth[.]cfd

ionthatco[.]cfd

onzeage[.]cfd

indush[.]cfd

low-lyingwh[.]cfd

nalhajarm[.]cfd

iesandb[.]cfd

helandsca[.]cfd

tsofhormuz[.]cfd

rhighest[.]cfd

rategicstrai[.]cfd

undimangen[.]cfd

ani453las[.]cfd

anceovarec[.]cfd

dcommerc[.]cfd

condandthi[.]cfd

resonherse[.]cfd

ordsexecutiv[.]cfd

oundandk[.]cfd

quezachieve[.]cfd

undertheguid[.]cfd

domainxnewma[.]com