![]() ![]() For one, it periodically checks the content of the clipboard. This script is quite large and very heavily obfuscated, but after a closer examination, it does only a few elementary operations. The script has been usually dropped to the AppData\Roaming\ServiceGet\ folder and scheduled to run automatically at a predefined time. ![]() The AutoIt compiler for the case is not present on the user’s computer and the AutoIt script. In addition to stealing sensitive personal information as described above, some of the samples also preserved persistence by dropping two additional files. Both of these techniques were exclusively targeted at stealing crypto-related information, which we’ll now describe in more detail. ![]() ![]() The delivered stealer malware using two persistence techniques. The encrypted ZIP contains all information mentioned previously, like the information about the system, installed software, screenshot and data collected from the browser including passwords or private data of crypto extensions.įigure 4: Zip password hardcoded in the binary Persistence techniques However, the ZIP file encryption key is hardcoded into the binary, so getting the content is not difficult. The data has been exfiltrated in encrypted ZIP format to C2 servers. Data from electronic wallets are also being collected. These eight samples exhibit stealers' activities, focusing on scanning the user's PC and collecting private information from the browsers, such as passwords or credit card data. We collected eight different executables that were distributed by this campaign. This ZIP usually contains a single executable file, typically named setup.exe or cracksetup.exe. This ZIP is encrypted with a simple password (usually 1234) which prevents the file from being analyzed by antivirus software. An example of the landing page is shown below.Īfter accessing the provided link, the ZIP file is downloaded. The file sharing services abused in this campaign include, for example, the Japanese file sharing or. All of them offer a link to a legitimate file share platform, which contains a malware ZIP file. The landing page has different visual forms. Overall, Avast has protected roughly 10,000 users from being infected daily who are located primarily in Brazil, India, Indonesia, and France.įigure 1: Protected users on the whole delivery infrastructure (1 day period) These cfd domains serve as a redirector as well as a landing page. The redirect leads to another page using the cfd top-level domain. This domain usually only serves as a redirector. The first type of domain uses the pattern freefilesXX.xyz, where XX are digits. These domains have a similar pattern and are registered on Cloudflare using a few name servers. After clicking on the link, the user is redirected through a network of domains to the landing page. What's interesting about this infrastructure is its scale. Next, a link leads to an extensive infrastructure that delivers malware. This technique is known as the Black SEO mechanism exploiting search engine indexing techniques. The vast majority of the results on the first page lead to compromised crack sites, and users end up downloading malware instead of the crack. All these sites are placed in the highest positions in search engine results. The infection chain starts on dubious sites that supposedly offer cracked versions of well-known and used software, such as games, office programs, or programs for downloading multimedia content. Interested in knowing more? Let’s dive a bit deeper. The bad actors behind the campaign have utilized a vast infrastructure to deliver malware and steal personal and other sensitive data, including crypto assets. This is precisely how the newly emerged FakeCrack campaign is doing its business, enticing users into downloading fake cracked software. When you accidentally download malicious cracked software, attackers can take everything you have on your PC, and you’ll end up without your sensitive personal data and even without the software that you were trying to download in the first place. Users who download cracked software risk sensitive personal data being stolen by hackers.Īre you interested in downloading free, cracked software? If so, you should know what you’re getting into. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |