Fake pirated software sites serve up malware droppers as a service – Stop ransomware and Glupteba backdoor

Special delivery
“Traffic exchanges” are an old standby of malware campaigns. Often mocked on underground boards as old-fashioned, these marketplaces for “software installs” are still part of the toolkit for a variety of malware actors and other cybercriminals, particularly for entry-level criminals with very few skills who want to spread malware.

Many of these services advertise on the same boards where they are mocked. Criminal affiliates can set up accounts quickly, but most require a deposit paid in Bitcoin before they can begin distributing installers. InstallBest (on installs[.]info, shown below), is hosted in Russia. The site provides very direct instructions on how to get started, in Russian and English.
The site also offers some advice on “best practices,” recommending against using Cloudflare-based hosts for downloaders, as well as using URLs within Discord’s CDN , Bitbucket, or other cloud services. As evidenced by our discovery of some of these installers on Discord, affiliates don’t always heed this advice.
Once the affiliate deposits Bitcoin, they can set up campaigns using a simple web form.
The form allows for the selection of specific geographic distribution areas, charging more for targets in the United States, Canada, and Australia.
For two dollars a drop, you can buy 1,000 downloads through this service’s distribution chain.
Another Russian-based site, shop1[.]host, promoted on underground web boards, is apparently pivoting as it claims to be putting its payment system into maintenance for “a month or two.”

Malware middlemen
Some of these services provide their own delivery networks. Others simply act as go-betweens to established traffic suppliers, including malvertising networks that pay blog publishers for traffic.

One of these, tied to several of the malware campaigns we found hosted on the “cracked” software blogs, was powered in part by InstallUSD, an advertising network based in Pakistan which promises a payment of up to $5 US for every software install delivered.

InstallUSD’s site allowed site owners to register to publish download links, but required them to complete registration through Skype chat with a “publishers manager,” referred to as Jamashad. We attempted to contact InstallUSD about their program, but received no response.

Further investigation of InstallUSD uncovered a Facebook page for the group. A phone number provided on the organization’s Facebook page is also connected to a Facebook page for WorkingKeys[.]org, a website that purports to host cracked software downloads. In fact, that site also is connected to InstallUSD through the links that lead to the malware.

The WorkingKeys website’s domain name servers (ns1.installusd.online and ns2.installusd.online) also act as domain name servers for about 150 other domains with names related to cracked software. Some of them are inactive, and some have no outbound links to downloads, but several of them are serving up malware.

As we investigated the other malicious websites tied to droppers-as-a-service, we found many of them were connected to InstallUSD’s malvertising infrastructure.

Following the downloads
Method 1: InstallUSD affiliate system
A group of eight of our initial group of 15 “bait” blogs connected to infrastructure we tied to the InstallUSD install-as-a-service network.
These sites had download buttons driven by a remote JavaScript that redirected visitors through a series of sites, including trackers that checked campaign-related information and generated redirects based on verification of the inbound link and assessment of the operating system and browser information from the User-Agent headers sent with each request.
The tracker sites, and many of the bait blogs, were behind Cloudflare’s CDN, and almost all were registered through Namecheap.

If a user tried to download the files using a mobile, MacOS, or Linux browser, or if they had browser security plugins installed, the redirects would lead to a different monetizing destination:

-A fake alert for mobile devices promoting the installation of a VPN or security app
-A page insisting the user install a browser plug-in to view content
-“Captcha” pages that required allowing notifications be enabled, which led to fake malware alert notifications spamming to the target system
-Redirects through other affiliate programs for paid traffic, including bogus Yahoo news pages, adult web games, and “dating” sites

The JavaScript that controlled the behavior of the download button on these eight sites came from a number of different source servers, but they all had the same basic signature. First, they opened a new browser tab using forwarding links passed through referral proxies—sites intended to create “anonymous” links (that scrubbed the forward of any referrer reference to the originating site). In early investigations, this refer proxy was nullrefer[.]com; By late July and August, the scripts providing the forwarding changed to the proxy href[.]li (a service operated by WordPress’ parent company, Automattic).

The destination site embedded in the request to the referral proxies were concealed in HTTPS, which concealed the actual destination from inspection by browser security tools. Also embedded in the destination URL were base64-encoded text that pointed to a common command and control server.

The cross-site scripts loaded for the download buttons on these sites were fairly uniform. They were all generated dynamically based on data passed as part of the URL source for the script.

Download Plan B
Some of the disrupted sites did not shift to the new infrastructure. Instead, using the same scripting hosts they had originally pointed to, they received JavaScript that launched an abbreviated version of the original redirect system, linking to a tracker server that redirected directly to the download server for the payload. Some did not use the href.li redirector.
The URL for retrieving the button script contains three variables: “s” (an integer identifying the source of the link), “q”(the name of the download), and “g” (another integer unique to the source “blog”).

A function named “getThere” opens a new browser window with a URL pointing at the tracker server. The URL follows this format.
A smaller number of sites had this style link embedded in the page code, either in a JavaScript function connected to the button or as a raw link. However, the sites that had a raw link associated with the button had HTML artifacts that suggested the link may have been rendered by a back-end PHP plug-in—concealing the connection to the C2 providing the scripts behind the server.

The new tracker site itself did not appear to inspect the browser User-Agent; we reached the intended payload for Windows from a variety of browser agent types. However, some of the download servers did their own check, and a click on the download button from a non-Windows agent yielded a redirect to another monetizing link, such as a fake alert or “naughty dating” site. These sites were localized by the IP range the browser was visiting from as well.

Another set of servers implemented a different set of JavaScript.

Sign Up For Threat Alerts

Threats Icon

Aug 08, 2022

RapperBot – new evolving malware

FortiGuard Labs has been tracking a rapidly evolving IoT malware family known as "RapperBot". This...

Threats Icon

Aug 04, 2022

Google Drive And Dropbox Used By APT29...

Cloaked Ursa (aka: APT29) has been targeting governmental entities in several countries with spear-phishing campaigns...

Threats Icon

Aug 03, 2022

Manjusaka: A Chinese sibling of Sliver and...

Cisco Talos recently discovered a new attack framework called "Manjusaka" being used in the wild...

Threats Icon

Aug 03, 2022

macOS Targeted With The CloudMensis Multi-Staged Malware

ESET researchers discovered a previously unknown macOS backdoor that spies on users of the compromised...

Threats Icon

Aug 01, 2022

Attackers Target Ukraine With GoMet Backdoor

Since the Russian invasion of Ukraine began, Ukrainians have been under a nearly constant barrage...

Threats Icon

Jul 31, 2022

Untangling KNOTWEED: European private-sector offensive actor using...

The Microsoft Threat Intelligence Center (MSTIC) and the Microsoft Security Response Center (MSRC) found a...

Threats Icon

Jul 31, 2022

Untangling KNOTWEED: European private-sector offensive actor using...

The Microsoft Threat Intelligence Center (MSTIC) and the Microsoft Security Response Center (MSRC) found a...

Threats Icon

Jul 26, 2022

EvilNum Targets Cryptocurrency, Forex, Commodities

Proofpoint Threat Research observed the group Proofpoint calls TA4563 targeting various European financial and investment...

Threats Icon

Jul 25, 2022

Lightning Framework: New Undetected “Swiss Army Knife”...

Lightning is a previously undocumented and undetected Linux threat. Lightning is a modular framework we...

Threats Icon

Jul 24, 2022

Redeemer Ransomware

Redeemer 2.0 Being Distributed Via Affiliate Program Cyble Research Labs has constantly been tracking emerging...

Threats Icon

Jul 21, 2022

Cobalt Strikes again: UAC-0056 continues to target...

The Malwarebytes Threat Intelligence team recently reviewed a series of cyber attacks against Ukraine that...

Threats Icon

Jul 20, 2022

Trello From the Other Side: APT29 Phishing...

Beginning mid-January 2022, Mandiant detected and responded to an APT29 phishing campaign targeting a diplomatic...

Threats Icon

Jul 18, 2022

New OrBit Linux Malware That Hijacks Execution...

New and entirely undetected Linux threat dubbed OrBit, signally a growing trend of malware attacks...

Threats Icon

Jul 18, 2022

North Korean threat actor targets small and...

A group of actors originating from North Korea that Microsoft Threat Intelligence Center (MSTIC) tracks...

Threats Icon

Jul 13, 2022

ChromeLoader – New Stubborn Malware Campaign

A new browser hijacker/adware campaign named ChromeLoader (also known as Choziosi Loader and ChromeBack) was...