Summary:
Threat actors distributing infostealers are gaining momentum by targeting victims seeking to illegally download pirated software. Because obtaining and using pirated software is against the law, many individuals partaking in this type of behavior suspend proper scrutiny for the source of their download. As a result, whether they are good or bad people, victims across the world are paying the price with their private information for a single bad decision.
Discover the techniques being used to distribute these threats and unravel the infection chain from two different examples to understand how these malware developers operate and use the latest techniques to avoid detection.
Introduction:
It has been over 20 years since the launch of Napster taught the internet how to get and share digital content online, and nearly a decade since the resilient Pirate Bay torrent site began enabling visitors to find and download stolen media and unlocked or ‘cracked’ versions of software. All these years later, in spite of many lawsuits and injunctions it is still extremely common for people to download pirated software from shady shareware sites instead of buying licenses for noncommercial purposes. Today, we typically see sites hosting cracked softwares like Microsoft Office and Windows installers appearing in indexed Google search results and ad banners.
Recently, the Zscaler ThreatLabz researchers discovered multiple ongoing threat campaigns distributing info-stealer malware by targeting victims trying to download pirated software applications. The screenshot in Fig. 1 shows Google search results featuring these fake sites that look just like the real pirate hosting sites. Part of what makes this type of threat so successful is that it targets individuals participating in an illegal yet common activity, as such many of the users can’t identify the intent behind one makeshift pop-up site peddling illegal software downloads vs. another one hosting malware downloads. The sections that follow provide a detailed technical analysis of two different active infostealer infection chains that fall into this category.
Fig 1. Fake shareware sites indexed on Google search
Technical Analysis Case 1
Stage 1: Redirection and Infostealer Malware Distribution
When users visit fake shareware sites and click to download, they immediately experience multiple redirects that obfuscate the process for detection by search engines, scanners, and victims, and finally deliver them to a malicious site hosting the threat actor’s intended content – an infostealer malware like the one featured in Fig 2 below. While this process may raise eyebrows on a verified site, visitors on these back channel sites may assume that this sleight-of-hand is a normal part of how shareware sites operate.
Fig 2. Infection vector
After arriving at the final destination and finishing the download, the final payload received in this sample is a zip archive file <10 MB in size. In this case, the malware-hosting URL is an open directory containing more than 3000 malicious zip archive files masquerading as common types of cracked software, as shown in the Fig 3 snippet below.
Fig 3. Web directory containing thousands of malware laced zip files
The malware distribution pattern our researchers observed is not consistent, but we did discover that trusted sites like Mediafire as shown in Fig. 4 below, and Discord are also being used to host malware in several different campaigns.
Fig 4. Redirected landing phishing page
Stage 2: Loader
The downloaded file is a compressed archive file that contains a password-protected zip archive and a text file disguised to contain stored passwords.
Fig 5. Password and Archive file
The password-protected zip file further contains a zip file named setup.zip of size 1.3 MB. Extracting the zip archive reveals a 0x20 and 0x00 byte padded executable file just over600 MB in size as shown in Fig. 5 below.
Fig 5. File padded with irrelevant bytes
ThreatLabz researchers found that the padded bytes were irrelevant to running the sample file and determined that threat actor included them to evade detection by security engines. The file also contains Anti-VM and Anti-Debug checks. Following this the dumping process removes irrelevant bytes dropping the file size in this sample down from 600MB to 78 KB, as shown in Fig 6 below.
Fig 6: Actual file size after dumping the process
Once the file is executed it spawns an encoded PowerShell command that launches a cmd.exe process with a timeout of 10 secs. This timeout period is added for evading automated sandbox analysis tools. The decoded PowerShell command looks like this:
(Start-Sleep-s10;Remove-Item-Path”C:UsersUserDesktopSetupfinal.exe”-Force)
Once the timeout period is over the loader connects to the remote server requesting a jpg file named ‘windows.decoder.manager.form.fallout15_Uwifqzjw.jpg’, as shown in Fig. 7 below.
Fig 7: Loader downloading requested jpg file from the remote server
The downloaded jpg file looks like it is encrypted but opening it with an editor reveals that the contents are simply stored in reverse order and once the content is reversed by the malicious program, it transforms into a DLL file.
Stage 3: Redline Stealer
The DLL payload contains a RedLine Stealer malware that targets your stored browser history, it is obfuscated with a crypter and compiled into memory by the loader. The loader loads the DLL and replaces it with the current thread context.
This RedLine Stealer sample is designed to steal stored browser passwords, auto-complete data including credit card information, and cryptocurrency files and wallets. The implications for an unsuspecting victim trying to save money on a program they may barely intend to use can be severe resulting in financial losses, identity theft, and other forms of fraud and extortion.
Technical Analysis Case 2
ThreatLabz researchers also observed fake shareware sites distributing instances of the RecordBreaker Stealer malware delivered without the use of any legitimate file hosting services by instead using malware packer tools like Themida, VMprotect, and MPRESS, as found in the sample packed with Themida shown in Fig. 8 below.
Fig 8: Files packed with Themida/VMprotect
Malware authors typically use packers and protectors for compression and to wrap the software in an extra layer of disguised code to evade detection. Packers are also growing in popularity for the anti-VM and anti-debugging techniques they offer which allow the malware to effectively navigate the system, avoid detection, and run more smoothly, as shown in the screenshots featured in Fig. 9-10 below.
Fig 9: API calls used for anti-debugging techniques using FindWindow API
Fig 10: Message box displayed to close security tools
After execution, the malware in this sample communicates with the C2 server and sends back the machine ID and config ID before downloading its required libraries from the remote server.
Fig 11: Communication with C2 server
The examined instance of RecordBreaker is designed to steal browser information from extensions, including: MetaMask, TronLink, BinanceChain, Ronin, MetaMask, MetaX, XDEFI, WavesKeeper, Solflare, Rabby, CyanoWallet, Coinbase, AuroWallet, KHC, TezBox, Coin98, Temple, ICONex, Sollet, CloverWallet, PolymeshWallet, NeoLine, Keplr, TerraStation, Liquality, SaturnWallet, GuildWallet, Phantom, TronLink, Brave, MetaMask, Ronin, MEW_CX, TON, Goby and TON using extension IDs provided from the C2 server, like the examples shown below.
ejbalbakoplchlghecdalmeeeajnimhm;(MetaMask)
ibnejdfjmmkpcnlpebklmnkoeoihofec;(TronLink)
fhbohimaelbohpjbbldcngcnapndodjp;(BinanceChain)
fnjhmkhhmkbjkkabndcnnogagogbneec;(Ronin)
kjmoohlgokccodicjjfebfomlbljgfhk;(Ronin)
nkbihfbeogaeaoehlefnkodbefgpgknn;(MetaMask)
mcohilncbfahbmgdjkbpemcciiolgcge;(MetaX)
hmeobnfnfcmdkdcmlblgagmfpfboieaf;(XDEFI)
lpilbniiabackdjcionkobglmddfbcjo;(WavesKeeper)
bhhhlbepdkbapadjdnnojkbgioiodbic;(Solflare)
acmacodkjbdgmoleebolmdjonilkdbch;(Rabby)
dkdedlpgdmmkkfjabffeganieamfklkm;(CyanoWallet)
hnfanknocfeofbddgcijnmhnfnkdnaad;(Coinbase)
cnmamaachppnkjgnildpdmkaakejnhae;(AuroWallet)
hcflpincpppdclinealmandijcmnkbgn;(KHC)
mnfifefkajgofkcjkemidiaecocnkjeh;(TezBox)
aeachknmefphepccionboohckonoeemg;(Coin98)
ookjlbkiijinhpmnjffcofjonbfbgaoc;(Temple)
flpiciilemghbmfalicajoolhkkenfel;(ICONex)
fhmfendgdocmcbmfikdcogofphimnkno;(Sollet)
nhnkbkgjikgcigadomkphalanndcapjk;(CloverWallet)
jojhfeoedkpkglbfimdfabpdfjaoolaf;(PolymeshWallet)
cphhlgmgameodnhkjdmkpanlelnlohao;(NeoLine)
dmkamcknogkgcdfhhbddcghachkejeap;(Keplr)
ajkhoeiiokighlmdnlakpjfoobnjinie;(TerraStation)
aiifbnbfobpmeekipheeijimdpnlpgpp;(TerraStation)
kpfopkelmapcoipemfendmdcghnegimn;(Liquality)
nkddgncdjgjfcddamfgcmfnlhccnimig;(SaturnWallet)
nanjmdknhkinifnkgdcggcfnhdaammmj;(GuildWallet)
bfnaelmomeimhlpmgjnjophhpkkoljpa;(Phantom)
ibnejdfjmmkpcnlpebklmnkoeoihofec;(TronLink)
odbfpeeihdkbihmopkbjmoonfanlbfcl;(Brave)
ejbalbakoplchlghecdalmeeeajnimhm;(MetaMask)
kjmoohlgokccodicjjfebfomlbljgfhk;(Ronin)
nlbmnnijcnlegkjjpcfjclmcfggfefdm;(MEW_CX)
cgeeodpfagjceefieflmdfphplkenlfk;(TON)
jnkelfanjkeadonecabehalmbgpfodjm;(Goby)
nphplpgoakhhjchkkhmiggakijnkhfnd;(TON)
After running, the gathered system information and installed application information is sent back to the C2 server.
Fig 12: Stealing system and installed software information
This malware can also send screenshots back to the C2 server, as shown below in the post-transaction relaying desktop screenshot.
Fig 13: Screenshot sent back to C2 server
RecordBreaker leaves nothing untapped, also collecting cookies from across the victims different browsers and sending them back to the C2 server, as shown in Fig 14 below
Fig 15: Stealing browser cookies
Sample downloaded files
45.150.67[.]175/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/nss3.dll
45.150.67[.]175/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/msvcp140.dll
45.150.67[.]175/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/vcruntime140.dll
45.150.67[.]175/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/mozglue.dll
45.150.67[.]175/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/freebl3.dll
45.150.67[.]175/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/softokn3.dll
45.150.67[.]175/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/sqlite3.dll
45.150.67[.]175/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/nssdbm3.dll
94.158.244[.]119/U4N9B5X5F5K2A0L4L4T5/84897964387342609301.bin
Conclusion:
This campaign highlights how attackers take advantage of users’ behavior through the distribution of pirated software to spread infostealer malware and extort victims for financial profits and other gains. The campaigns analyzed in this article depend on users visiting and downloading software from unscrupulous websites as the initial infection vector, users can easily prevent these unfortunate infections by avoiding this illegal practice and only visiting legitimate sites and downloading software from trustworthy sources.
Best Practices:
- Avoid visiting untrusted sites including those that host pirated software
- Do not install pirated software on your device
- Enable policy to block password-protected files
- Do not save credentials in the browser
Zscaler Cloud Sandbox Detection:
IOCs
These are the malicious indicators involved in this campaign, MD5s are not listed because the password-protected zip files involved generate a new MD5 with each download transaction.
Malicious IPs:
45[.]150[.]67[.]175
94[.]158[.]244[.]119
45[.]135[.]134[.]211
194[.]180[.]174[.]180
185[.]250[.]148[.]76
37[.]221[.]67[.]219
45[.]140[.]146[.]169
94[.]140[.]114[.]231
94[.]158[.]244[.]213
45[.]142[.]212[.]100
194[.]180[.]174[.]187
194[.]180[.]174[.]186
135[.]181[.]105[.]89
77[.]91[.]102[.]88
77[.]91[.]103[.]31
94[.]158[.]247[.]24
85[.]239[.]34[.]235
45[.]67[.]34[.]234
45[.]67[.]34[.]238
45[.]142[.]215[.]92
45[.]153[.]230[.]183
45[.]152[.]86[.]98
74[.]119[.]193[.]57
77[.]91[.]74[.]67
146[.]19[.]247[.]28
77[.]91[.]102[.]115
45[.]159[.]251[.]21
146[.]19[.]247[.]52
45[.]142[.]215[.]50
45[.]133[.]216[.]170
193[.]43[.]146[.]22
193[.]43[.]146[.]26
146[.]70[.]124[.]71
193[.]43[.]146[.]17
146[.]19[.]75[.]8
45[.]84[.]0[.]152
45[.]133[.]216[.]249
45[.]67[.]34[.]152
45[.]133[.]216[.]145
Fake shareware download sites:
fullcrack4u[.]com
activationskey[.]org
xproductkey[.]com
saifcrack[.]com
crackedpcs[.]com
allcracks[.]org
aryancrack[.]com
prolicensekeys[.]com
apps-for-pc[.]com
bagas3-1[.]com
seostar2[.]xyz
keygenwin[.]com
cloud27[.]xyz
allpcsoftwares[.]info
deepprostore[.]com
serialfull[.]info
steamunlocked[.]one
file-store2[.]xyz
reallkeys[.]com
fullcrackedz[.]com
softwaresdaily[.]com
officials-kmspico[.]com
hotbuckers[.]com
mycrackfree[.]com
procfullcracked[.]com
idmfullcrack[.]info
drake4[.]xyz
crackedsofts[.]info
getintopc[.]digital
piratespc[.]net
apxsoftwares[.]com
crackfullpro[.]com
allcrackhere[.]info
kuyhaa-me[.]pw
crackplaced[.]com
freepccrack[.]com
proapkcrack[.]com
crackfullpc[.]com
Free-4paid[.]com
crackedlink[.]com
crackpropc[.]com
cracktube[.]net
getmacos[.]org
getwindowsactivator[.]info
playzipgames[.]co
proactivationkey[.]com
procrackfree[.]com
showcrack[.]com
Redirected Malicious NRD domains:
file-store2[.]xyz
seostar2[.]xyz
drake4[.]xyz
cloud27[.]xyz
kirov1[.]xyz
unixfilesystem2[.]xyz
file-store4[.]xyz
cloud25[.]xyz
clubfiletyc[.]com
ihgatms[.]cfd
notbeexcluded[.]cfd
andslideasco[.]cfd
sonarsurveyof[.]cfd
butvelocities[.]cfd
herihed[.]cfd
largerinscale[.]cfd
itsdebri[.]cfd
lditsdebriisar[.]cfd
eeorderso[.]cfd
psestwotothr[.]cfd
uptomscan[.]cfd
fmagnitude[.]cfd
byasdebrisfie[.]cfd
ticlewesimulate[.]cfd
ergyfrommo[.]cfd
sup7podthee[.]cfd
heirreplacem[.]cfd
hthecrown[.]cfd
entbymo[.]cfd
ctswasprimarilyd[.]cfd
adsharedwi897th[.]cfd
mershadclo[.]cfd
aptersandt[.]cfd
nkstherefor[.]cfd
iruiotish[.]cfd
itishindia[.]cfd
theyt786ku[.]cfd
theritishind[.]cfd
edbythe67ak[.]cfd
panyruld[.]cfd
uslimsofbr[.]cfd
sputrey567rik[.]cfd
shatheg[.]cfd
istanmove[.]cfd
menhichs[.]cfd
upta16theu[.]cfd
andelect[.]cfd
oughtme[.]cfd
ionvictoriesin[.]cfd
anwasthere[.]cfd
ateofakist[.]cfd
egiontheh[.]cfd
ahthegha[.]cfd
mayyadc[.]cfd
emodernst[.]cfd
almofmultiple[.]cfd
ofth546ebr[.]cfd
znavidsde[.]cfd
mprisesth[.]cfd
ionthatco[.]cfd
onzeage[.]cfd
indush[.]cfd
low-lyingwh[.]cfd
nalhajarm[.]cfd
iesandb[.]cfd
helandsca[.]cfd
tsofhormuz[.]cfd
rhighest[.]cfd
rategicstrai[.]cfd
undimangen[.]cfd
ani453las[.]cfd
anceovarec[.]cfd
dcommerc[.]cfd
condandthi[.]cfd
resonherse[.]cfd
ordsexecutiv[.]cfd
oundandk[.]cfd
quezachieve[.]cfd
undertheguid[.]cfd
domainxnewma[.]com