Fake Pirated Software Sites Distribute Malware via InstallUSD

September 2, 2021

Traffic exchanges” are an old standby of malware campaigns. Often mocked on underground boards as outdated, these marketplaces for “software installs” remain a tool for various malware actors and cybercriminals—particularly entry-level criminals with minimal skills looking to distribute malware.

Many of these services advertise on the same boards where they are ridiculed. Criminal affiliates can set up accounts quickly, but most require an initial Bitcoin deposit before they can begin distributing installers.

One example, InstallBest (hosted on installs[.]info), is based in Russia. The site provides direct instructions in Russian and English on how to get started. It also offers advice on “best practices,” such as avoiding Cloudflare-based hosts for downloaders and using URLs within Discord’s CDN, Bitbucket, or other cloud services. However, affiliates don’t always follow this advice, as evidenced by the presence of some installers on Discord.

Once the affiliate deposits Bitcoin, they can set up campaigns through a simple web form. The form allows selection of specific geographic targets, with higher prices for the U.S., Canada, and Australia. For $2 per drop, buyers can purchase 1,000 downloads through the service’s distribution chain.

Another Russian-based site, shop1[.]host, promoted on underground forums, appears to be pivoting as it claims to be putting its payment system into maintenance for “a month or two.”

Malware Middlemen

Some of these services provide their own delivery networks, while others act as intermediaries for established traffic suppliers, including malvertising networks that pay blog publishers for traffic.

One of these, linked to several malware campaigns found on “cracked” software blogs, was powered in part by InstallUSD, an advertising network based in Pakistan. InstallUSD promised payments of up to $5 per software install delivered.

InstallUSD’s site allowed publishers to register and post download links, but required them to complete registration via Skype chat with a “publishers manager” named Jamashad.

Further investigation uncovered a Facebook page for InstallUSD, listing a phone number that also linked to WorkingKeys[.]org, a website that claims to host cracked software downloads. This site is directly connected to InstallUSD through the malware-linked download URLs.

The WorkingKeys domain name servers (ns1.installusd.online and ns2.installusd.online) also serve about 150 other domains related to cracked software. Some of these domains are inactive, some contain no outbound links, but several actively distribute malware.

While analyzing other malware dropper services, we found that many were connected to InstallUSD’s malvertising infrastructure.

Following the Downloads

Method 1: InstallUSD Affiliate System

Eight of the initial 15 “bait” blogs analyzed were linked to InstallUSD’s install-as-a-service network. These sites used JavaScript-driven download buttons, redirecting users through multiple sites to:

  • Track campaign data
  • Verify the user’s OS and browser information via User-Agent headers
  • Generate redirects based on the gathered data

These tracker sites and many bait blogs were hidden behind Cloudflare’s CDN and registered through Namecheap.

Redirect behavior depended on the user's system:

  • Mobile, MacOS, or Linux users saw:
    • Fake security alerts promoting VPN or security app installations
    • Prompts to install a browser plugin to view content
    • “Captcha” pages requiring users to allow notifications—leading to spammed malware alerts
    • Redirects to other affiliate programs, including fake Yahoo news pages, adult web games, and dating sites

The JavaScript controlling the download buttons came from different source servers but followed the same basic structure:

  1. Opened a new browser tab using forwarding links via referral proxies
  2. Used proxies to scrub referrer data from originating sites
  3. Initially used nullrefer[.]com as a refer proxy, but later switched to href[.]li (operated by Automattic, WordPress’ parent company)
  4. Concealed destination URLs using HTTPS, preventing browser security tools from inspecting the actual destination
  5. Embedded Base64-encoded text pointing to a command-and-control (C2) server

The cross-site scripts loaded for download buttons were generated dynamically based on URL source parameters.

Download Plan B

Some disrupted sites did not transition to new infrastructure. Instead, they:

  • Continued using the original scripting hosts
  • Launched a simplified redirect system pointing directly to the malware payload download server

These sites did not use href.li as a refer proxy. Instead, the JavaScript-controlled download buttons contained three variables:

  • s – Identifying the source of the link
  • q – Name of the download
  • g – Unique source blog identifier

A function called getThere opened a new browser window pointing to a tracker server. The URL format followed a structured pattern.

A smaller subset of sites embedded download links directly into the page code, either via:

  • A JavaScript function controlling the button
  • A raw HTML link associated with the button

Some raw links contained HTML artifacts indicating the connection was obfuscated by a backend PHP plugin, hiding the connection to the C2 server providing malicious scripts.

Evasion Tactics

Unlike the initial tracker site, the new redirect system did not inspect User-Agent data. This allowed users with various browser types to reach the intended Windows payload. However, some download servers did perform checks, redirecting non-Windows users to:

  • Fake security alerts
  • Adult dating sites
  • Other monetized destinations

These redirects were localized based on IP addresses, ensuring users saw content tailored to their geographical region.

Meanwhile, another set of servers implemented a different JavaScript-based delivery mechanism, further diversifying the attack methods used by these malware campaigns.

Subscribe