A campaign to leverage a network of websites has been actively operating against websites that act as “droppers as a service” in distributing bundles of malware payload toward its targets, searching for cracked versions of consumer and business applications.
According to cybersecurity researchers, the said malware comprises assorted click fraud bots and other information stealers. It even includes ransomware.
These attacks are distributed through posing as download links on a blog-hosting site called WordPress. Upon clicking, the victims will be redirected to a completely different website that carries malicious and unwanted browser plugins and malware. Examples are the various suspicious cryptocurrency mining tools that act as antivirus software, Raccoon Stealer malware, Glupteba backdoor, Stop ransomware, and more.
Researchers also added that the victims who fall into these traps are required to allow notifications setting so that the website could constantly send fake malware alerts and redirect victims through websites that will take them into a specific destination that’s identified through the browser type, operating system, and exact geographic location of the victim.
As people search online for the pirated versions of any software application, the SEO or search engine optimization technique could be a great way to show malicious links on the first page of search results.
The distribution infrastructure is also called traffic exchanges. It usually involves payment via Bitcoin before its users can create accounts and begin delivering the installers. InstallBest is a sample of a site that recommends against the use of Cloudflare-based hosts for downloaders. It also advises against utilizing links within Discord’s CDN and some other cloud platforms.
Researchers have also discovered several services that act as the “go-betweens” in forming malvertising networks that pay for traffic rather than extending their malware delivery networks. InstallUSD is an example of this traffic supplier.
It is an advertising network located in Pakistan and is connected to many malware payload campaigns that link to the cracked software sites.
It is not the first time for “warez” websites or the sites which distribute malware all over the internet to be used by threat actors as infection vectors. A cryptocurrency miner called Crackonosh was reported to be overusing this method last June, as it tries to install a coin miner package called XMRig to exploit the victim’s resources in mining Monero. And then, in July, MosaicLoader malware’s threat actors are attacking victims that search for cracked versions of software in a campaign to deploy a backdoor capable of binding Windows systems into the botnet.