Hackers Lacing “Cracked Programs” With Malware

Last week, research firm Sophos delivered a report about an increase in “dropper as a service” websites offering malware-laced versions of cracked programs. The software used to lure victims is both business and consumer applications.

What is Happening?

Sophos security posted a notice this week about cybercriminals using cracked programs used to entice victims and said,

“These malware included an assortment of click fraud bots, other information stealers, and even ransomware.”

Pirated software is big business on Torrent sites and the dark web. However, now scammers are lacing fake pirated versions with malware to steal information from the people who download and install it.

One type of malware in particular that Sophos was tracking is called Raccoon Stealer.

How it Works

The security researchers found that most of the fake software is hosted on WordPress blog websites with links that redirect victims to malicious websites. According to Sophos,

the “Download buttons on these pages link to another host, passing a set of parameters that includes the package name and affiliate identifier codes to an application that then redirects the browser session to yet another intermediary site, before finally arriving at a destination.”

Sophos explains further,

“We discovered multiple networks using the same basic tactics in our research. All of these networks use search engine optimization to put a “bait” webpage on the first page of results for search engine queries seeking “crack” versions of a variety of software products.”

Luring Victims with the Bait

The ruse comes in two flavors. The first redirects users to pages with malware-laced programs, and the second brings the user to an area with free browser plugins and suspicious programs.

Upon arriving at either of the destinations, a message appears and urges the user to turn on notifications. Once they do, they continuously receive messages that their device is infected with malware with a link to fix it. If visitors click a link, they are taken to one of these malicious pages determined by “the visitor’s operating system, browser type, and geographic location.”

Sophos identified at least three unwanted applications that appear on these destination websites. They include the Raccoon Stealer, Stop ransomware, Glupteba backdoor, and some cryptocurrency mining software.

Sophos mentioned that,

“In a bit of irony, many of these malware were delivered by downloads purporting to be installers for antivirus products, including 15 we examined that claimed to be licensing-bypassed versions of the Sophos-owned HitmanPro.”

The sophisticated dynamic delivery network is the middleman between the “bait sites” and deliverables. They work so well that victims can often be caught repeatedly infecting their devices multiple times with various products.

The framework for these types of “fake alert” scams are underground software marketplaces that operate outside of the law. Although the practice is old-school, it is still very effective, especially for budding young hackers who want to make a name for themselves.

Instructions Included

Sophos explains that,

“Many of these services advertise on the same boards where they are mocked. Criminal affiliates can set up accounts quickly, but most require a deposit paid in Bitcoin before they can begin distributing installers.”

These sites include detailed instructions on how to get started using these programs along with hacker “best practices” such as “using Cloudflare-based hosts for downloaders, as well as using URLs within Discord’s CDN, Bitbucket, or other cloud services.”

The Hacker News commented that,

“On top of that, the researchers also found a number of services that, instead of offering their own malware delivery networks, act as “go-betweens” to established malvertising networks that pay website publishers for traffic. One such traffic supplier is InstallUSD, a Pakistan-based advertising network, which has been linked to a number of malware campaigns involving the cracked software sites."