Special delivery
“Traffic exchanges” are an old standby of malware campaigns. Often mocked on underground boards as old-fashioned, these marketplaces for “software installs” are still part of the toolkit for a variety of malware actors and other cybercriminals, particularly for entry-level criminals with very few skills who want to spread malware.
Many of these services advertise on the same boards where they are mocked. Criminal affiliates can set up accounts quickly, but most require a deposit paid in Bitcoin before they can begin distributing installers. InstallBest (on installs[.]info, shown below), is hosted in Russia. The site provides very direct instructions on how to get started, in Russian and English.
The site also offers some advice on “best practices,” recommending against using Cloudflare-based hosts for downloaders, as well as using URLs within Discord’s CDN , Bitbucket, or other cloud services. As evidenced by our discovery of some of these installers on Discord, affiliates don’t always heed this advice.
Once the affiliate deposits Bitcoin, they can set up campaigns using a simple web form.
The form allows for the selection of specific geographic distribution areas, charging more for targets in the United States, Canada, and Australia.
For two dollars a drop, you can buy 1,000 downloads through this service’s distribution chain.
Another Russian-based site, shop1[.]host, promoted on underground web boards, is apparently pivoting as it claims to be putting its payment system into maintenance for “a month or two.”
Malware middlemen
Some of these services provide their own delivery networks. Others simply act as go-betweens to established traffic suppliers, including malvertising networks that pay blog publishers for traffic.
One of these, tied to several of the malware campaigns we found hosted on the “cracked” software blogs, was powered in part by InstallUSD, an advertising network based in Pakistan which promises a payment of up to $5 US for every software install delivered.
InstallUSD’s site allowed site owners to register to publish download links, but required them to complete registration through Skype chat with a “publishers manager,” referred to as Jamashad. We attempted to contact InstallUSD about their program, but received no response.
Further investigation of InstallUSD uncovered a Facebook page for the group. A phone number provided on the organization’s Facebook page is also connected to a Facebook page for WorkingKeys[.]org, a website that purports to host cracked software downloads. In fact, that site also is connected to InstallUSD through the links that lead to the malware.
The WorkingKeys website’s domain name servers (ns1.installusd.online and ns2.installusd.online) also act as domain name servers for about 150 other domains with names related to cracked software. Some of them are inactive, and some have no outbound links to downloads, but several of them are serving up malware.
As we investigated the other malicious websites tied to droppers-as-a-service, we found many of them were connected to InstallUSD’s malvertising infrastructure.
Following the downloads
Method 1: InstallUSD affiliate system
A group of eight of our initial group of 15 “bait” blogs connected to infrastructure we tied to the InstallUSD install-as-a-service network.
These sites had download buttons driven by a remote JavaScript that redirected visitors through a series of sites, including trackers that checked campaign-related information and generated redirects based on verification of the inbound link and assessment of the operating system and browser information from the User-Agent headers sent with each request.
The tracker sites, and many of the bait blogs, were behind Cloudflare’s CDN, and almost all were registered through Namecheap.
If a user tried to download the files using a mobile, MacOS, or Linux browser, or if they had browser security plugins installed, the redirects would lead to a different monetizing destination:
-A fake alert for mobile devices promoting the installation of a VPN or security app
-A page insisting the user install a browser plug-in to view content
-“Captcha” pages that required allowing notifications be enabled, which led to fake malware alert notifications spamming to the target system
-Redirects through other affiliate programs for paid traffic, including bogus Yahoo news pages, adult web games, and “dating” sites
The JavaScript that controlled the behavior of the download button on these eight sites came from a number of different source servers, but they all had the same basic signature. First, they opened a new browser tab using forwarding links passed through referral proxies—sites intended to create “anonymous” links (that scrubbed the forward of any referrer reference to the originating site). In early investigations, this refer proxy was nullrefer[.]com; By late July and August, the scripts providing the forwarding changed to the proxy href[.]li (a service operated by WordPress’ parent company, Automattic).
The destination site embedded in the request to the referral proxies were concealed in HTTPS, which concealed the actual destination from inspection by browser security tools. Also embedded in the destination URL were base64-encoded text that pointed to a common command and control server.
The cross-site scripts loaded for the download buttons on these sites were fairly uniform. They were all generated dynamically based on data passed as part of the URL source for the script.
Download Plan B
Some of the disrupted sites did not shift to the new infrastructure. Instead, using the same scripting hosts they had originally pointed to, they received JavaScript that launched an abbreviated version of the original redirect system, linking to a tracker server that redirected directly to the download server for the payload. Some did not use the href.li redirector.
The URL for retrieving the button script contains three variables: “s” (an integer identifying the source of the link), “q”(the name of the download), and “g” (another integer unique to the source “blog”).
A function named “getThere” opens a new browser window with a URL pointing at the tracker server. The URL follows this format.
A smaller number of sites had this style link embedded in the page code, either in a JavaScript function connected to the button or as a raw link. However, the sites that had a raw link associated with the button had HTML artifacts that suggested the link may have been rendered by a back-end PHP plug-in—concealing the connection to the C2 providing the scripts behind the server.
The new tracker site itself did not appear to inspect the browser User-Agent; we reached the intended payload for Windows from a variety of browser agent types. However, some of the download servers did their own check, and a click on the download button from a non-Windows agent yielded a redirect to another monetizing link, such as a fake alert or “naughty dating” site. These sites were localized by the IP range the browser was visiting from as well.
Another set of servers implemented a different set of JavaScript.