Cybersecurity researchers have discovered multiple ongoing malware distribution campaigns that target internet users who seek to download copies of pirated software. The campaign uses SEO poisoning and malvertising to push malicious shareware sites high in Google Search results, promoting fake software along with cracks and product activation key generators. The software used for luring victims in the ongoing campaigns, according to Zscaler that discovered them, includes the following:
- Adobe Acrobat Pro
- 3DVista Virtual Tour Pro
- 7-Data Recovery Suite
- MAGIX Sound Force Pro
- Wondershare Dr. Fone
In many cases, the malicious executables masquerading as the promised software installers are hosted on file hosting services, so the landing pages redirect victims to other services to download the files. Some of the fake shareware websites mentioned in the IoC section of Zscaler’s report:
The redirection sites which deliver the malicious files have fewer fancy names and stand on “xyz” and “cfd” top-level domains. The downloaded files are archives containing a 1.3MB password-protected ZIP to evade AV scans and a TXT file with the password. The size of the unpacked ZIP balloons to 600MB using byte padding is a common anti-analysis practice followed by many malware authors. The contained executable is a malware loader that spawns an encoded PowerShell command that launches a Windows command prompt (cmd.exe) after a 10 second timeout to evade sandbox analysis. The cmd.exe process downloads a JPG file that is a DLL file with its contents arranged in reverse. The loader re-arranges the contents in the correct order, derives the final DLL, a RedLine Stealer payload, and loads it into the current thread. Redline stealer is a powerful info-stealing malware that can siphon passwords stored in web browsers, credit card data, bookmarks, cookies, cryptocurrency files and wallets, VPN credentials, computer details, and more. In some cases, Zscaler noticed that the threat actors dropped copies of the ‘RecordBreaker’ stealer malware, packed with the Themida tool for obfuscation and detection avoidance. The information targeted by that RecordBreaker is similarly extensive, so the final payload doesn’t make much difference for the victims.