To shed some light on the everlasting “bundled malware” threat, Sophos researchers recently performed a thorough investigation on a network of websites related to an ongoing Racoon infostealer campaign, acting as a “dropper as a service.” This network distributed a variety of malware packages, “often bundling unrelated malware together in a single dropper,” including clickfraud bots, other infostealers, and ransomware.
The Everlasting Threat of Cracked Software Packages
While the Raccoon Stealer campaign Sophos tracked on these sites happened between January and April, 2021, the researchers still observe malware and other malicious content distributed through the same network of sites. “Multiple front-end websites targeting individuals seeking “cracked” versions of popular consumer and enterprise software packages link into a network of domains used to redirect the victim to the payload designed for their platform,” the report noted.
In fact, many networks apply the same basic tactics, such as using SEO (search engine optimization) to place a bait page on the first past of results related to specific search queries. These queries often include the crack versions of various software products. It should be noted that during the analysis of the Racoon infostealer campaign, Sophos came across numerous information stealers, clickfraud bots, as well as the Conti and STOP ransomware.
Previous Sophos discoveries related to the way Raccoon propagates in the wild revealed a YouTube channel with video about wares, or pirated software. The researchers also came across samples in telemetry rooted with two specific domains: gsmcracktools.blogspot.com and procrackerz.org.
The malicious sites are typically advertised as repositories of cracked legitimate software packages. However, the files delivered in the campaign were actually masqueraded as droppers. If the potential victim clicks on a link to download such a file, they get through a set of redirector JavaScripts hosted on Amazon Web Services. Then, the victim is sent to one of multiple download locations that deliver various versions of the dropper.
A Look into Malicious Bait Pages and Traffic Exchange Networks
The analyzed attacks utilize numerous bait pages mainly hosted on WordPress. These pages contain download links to software packaged which create a series of redirects upon clicking.
“Download buttons on these pages link to another host, passing a set of parameters that includes the package name and affiliate identifier codes to an application that then redirects the browser session to yet another intermediary site, before finally arriving at a destination,” Sophos said.
Some bait pages redirect to download sites hosting packaged archive that contains malware, while others are laced with browser plugins and potentially unwanted applications (PUAs).
In many cases, page visitors are prompted to allow push notifications. If these are allowed, the pages will start triggering fake malware alerts. If the alerts are clicked, then the user is taken through a series of redirects and sites until arriving at a destination determined by the visitor’s OS, browser type, and geographic location.
What did the researchers discover in terms of malware?
These download campaigns propagate a variety of PUAs and malware, including installers for STOP ransomware, the Glupteba backdoor, and numerous cryptocurrency miners and infostealers. Many of these fake downloads purported to be installers for antivirus programs, some of which claimed to be licensing-bypassed versions of HitmanPro, owned by Sophos.
Dropper packages and malware delivery platforms have been around for a long time, but they continue to thrive because of the same sort of market dynamics as those that make stealers as a service so profitable, the report concluded. Thanks to these, even inexperienced threat actors can propagate malware.