Cracked Software Spreading Malware Across Traffic Exchange Networks

A new type of attack has been discovered that uses malware disguised as cracked software to spread

Cracked Software Spreading Malware Across Traffic Exchange Networks
Cracked Software Spreading Malware Across Traffic Exchange Networks | Image Credits: CSO Online

Cybersecurity researchers identified a new campaign that takes advantage of a network of websites to operate as a dropper as a service. This is done by threat actors in order to send a package of malware payloads to victims who are hunting for pirated software on the internet.

Many of these attacks take use of bait pages hosted on WordPress, which contain download links to malicious software packages such as Stop Ransomware, Raccoon Stealer, and the Gluepteba Backdoor, among other things. Even while the downloaded software looks to be an antivirus solution, it is actually malware, such as crypto miners, that is designed to look and act like an antivirus application.

According to Sopho's research, "These malware included an assortment of clickfraud bots, other information stealers, and even ransomware. While the Raccoon Stealer campaign we tracked on these sites took place between January and April, 2021, we continue to see malware and other malicious content distributed through the same network of sites. Multiple front-end websites targeting individuals seeking “cracked” versions of popular consumer and enterprise software packages link into a network of domains used to redirect the victim to the payload designed for their platform."

Using cracked or nulled software may lead to serious issues

Appearing at the top of search results for the websites of a variety of software apps, links are the consequence of the application of search engine optimization (SEO) strategies. Cyber actors of lower skill levels might customise their campaigns depending on regional targeting after downloading the paid services available on the dark web.

Because of the distribution network's use of the digital currency Bitcoin for registration and transaction, traffic exchanges often require Bitcoin payments. Before an affiliate can begin distributing installers, InstallBest suggests that members avoid using hosts with Cloudflare services, while also mentioning that CDN URLs can be found on Bitbucket and other cloud platforms.

The study also uncovered links to older, established malvertising networks. These networks reward website owners for visitors and pay them in exchange for forwarding customers to other sites that serve as intermediaries. One of the many advertising networks known to distribute malware is InstallUSD, based in Pakistan, which has been associated with a number of malware campaigns involving cracked software sites.