Fake pirated software sites serve up malware droppers as a service – Stop ransomware and Glupteba backdoor

Special delivery
“Traffic exchanges” are an old standby of malware campaigns. Often mocked on underground boards as old-fashioned, these marketplaces for “software installs” are still part of the toolkit for a variety of malware actors and other cybercriminals, particularly for entry-level criminals with very few skills who want to spread malware.

Many of these services advertise on the same boards where they are mocked. Criminal affiliates can set up accounts quickly, but most require a deposit paid in Bitcoin before they can begin distributing installers. InstallBest (on installs[.]info, shown below), is hosted in Russia. The site provides very direct instructions on how to get started, in Russian and English.
The site also offers some advice on “best practices,” recommending against using Cloudflare-based hosts for downloaders, as well as using URLs within Discord’s CDN , Bitbucket, or other cloud services. As evidenced by our discovery of some of these installers on Discord, affiliates don’t always heed this advice.
Once the affiliate deposits Bitcoin, they can set up campaigns using a simple web form.
The form allows for the selection of specific geographic distribution areas, charging more for targets in the United States, Canada, and Australia.
For two dollars a drop, you can buy 1,000 downloads through this service’s distribution chain.
Another Russian-based site, shop1[.]host, promoted on underground web boards, is apparently pivoting as it claims to be putting its payment system into maintenance for “a month or two.”

Malware middlemen
Some of these services provide their own delivery networks. Others simply act as go-betweens to established traffic suppliers, including malvertising networks that pay blog publishers for traffic.

One of these, tied to several of the malware campaigns we found hosted on the “cracked” software blogs, was powered in part by InstallUSD, an advertising network based in Pakistan which promises a payment of up to $5 US for every software install delivered.

InstallUSD’s site allowed site owners to register to publish download links, but required them to complete registration through Skype chat with a “publishers manager,” referred to as Jamashad. We attempted to contact InstallUSD about their program, but received no response.

Further investigation of InstallUSD uncovered a Facebook page for the group. A phone number provided on the organization’s Facebook page is also connected to a Facebook page for WorkingKeys[.]org, a website that purports to host cracked software downloads. In fact, that site also is connected to InstallUSD through the links that lead to the malware.

The WorkingKeys website’s domain name servers (ns1.installusd.online and ns2.installusd.online) also act as domain name servers for about 150 other domains with names related to cracked software. Some of them are inactive, and some have no outbound links to downloads, but several of them are serving up malware.

As we investigated the other malicious websites tied to droppers-as-a-service, we found many of them were connected to InstallUSD’s malvertising infrastructure.

Following the downloads
Method 1: InstallUSD affiliate system
A group of eight of our initial group of 15 “bait” blogs connected to infrastructure we tied to the InstallUSD install-as-a-service network.
These sites had download buttons driven by a remote JavaScript that redirected visitors through a series of sites, including trackers that checked campaign-related information and generated redirects based on verification of the inbound link and assessment of the operating system and browser information from the User-Agent headers sent with each request.
The tracker sites, and many of the bait blogs, were behind Cloudflare’s CDN, and almost all were registered through Namecheap.

If a user tried to download the files using a mobile, MacOS, or Linux browser, or if they had browser security plugins installed, the redirects would lead to a different monetizing destination:

-A fake alert for mobile devices promoting the installation of a VPN or security app
-A page insisting the user install a browser plug-in to view content
-“Captcha” pages that required allowing notifications be enabled, which led to fake malware alert notifications spamming to the target system
-Redirects through other affiliate programs for paid traffic, including bogus Yahoo news pages, adult web games, and “dating” sites

The JavaScript that controlled the behavior of the download button on these eight sites came from a number of different source servers, but they all had the same basic signature. First, they opened a new browser tab using forwarding links passed through referral proxies—sites intended to create “anonymous” links (that scrubbed the forward of any referrer reference to the originating site). In early investigations, this refer proxy was nullrefer[.]com; By late July and August, the scripts providing the forwarding changed to the proxy href[.]li (a service operated by WordPress’ parent company, Automattic).

The destination site embedded in the request to the referral proxies were concealed in HTTPS, which concealed the actual destination from inspection by browser security tools. Also embedded in the destination URL were base64-encoded text that pointed to a common command and control server.

The cross-site scripts loaded for the download buttons on these sites were fairly uniform. They were all generated dynamically based on data passed as part of the URL source for the script.

Download Plan B
Some of the disrupted sites did not shift to the new infrastructure. Instead, using the same scripting hosts they had originally pointed to, they received JavaScript that launched an abbreviated version of the original redirect system, linking to a tracker server that redirected directly to the download server for the payload. Some did not use the href.li redirector.
The URL for retrieving the button script contains three variables: “s” (an integer identifying the source of the link), “q”(the name of the download), and “g” (another integer unique to the source “blog”).

A function named “getThere” opens a new browser window with a URL pointing at the tracker server. The URL follows this format.
A smaller number of sites had this style link embedded in the page code, either in a JavaScript function connected to the button or as a raw link. However, the sites that had a raw link associated with the button had HTML artifacts that suggested the link may have been rendered by a back-end PHP plug-in—concealing the connection to the C2 providing the scripts behind the server.

The new tracker site itself did not appear to inspect the browser User-Agent; we reached the intended payload for Windows from a variety of browser agent types. However, some of the download servers did their own check, and a click on the download button from a non-Windows agent yielded a redirect to another monetizing link, such as a fake alert or “naughty dating” site. These sites were localized by the IP range the browser was visiting from as well.

Another set of servers implemented a different set of JavaScript.

Sign Up For Threat Alerts

Loading...
Threats Icon

Mar 23, 2023

HiatusRAT Targets SOHO Routers

Business grade routers are being infected with the HiatusRAT Remote Access Trojan a variant of...

Threats Icon

Mar 23, 2023

HiatusRAT Targets SOHO Routers

Business grade routers are being infected with the HiatusRAT Remote Access Trojan a variant of...

Threats Icon

Mar 21, 2023

Dotrunpex – Demystifying new virtualized .net injector...

DotRunpeX is a new injector written in .NET using the Process Hollowing technique and used...

Threats Icon

Mar 21, 2023

GlobeImposter Ransomware With MedusaLocker Spreading Via RDP

A GlobeImposter ransomware campaign was discovered being carried out by the attackers behind MedusaLocker. The...

Threats Icon

Mar 20, 2023

Common credential stealers

FortiGuard Threat Research has observed an increasing threat arising from credential stealers. The most common...

Threats Icon

Mar 20, 2023

Sirattacker And ALC Ransomware Analysis

The Sirattacker and ALC ransomware families continue to gain traction and compromise Microsoft Windows devices....

Threats Icon

Mar 19, 2023

Google Advertising Used To Distribute RedLine Stealer

A malvertising campaign was discovered mimicking websites belonging to well-known software such as Notepad++ and...

Threats Icon

Mar 16, 2023

Microsoft Outlook Elevation of Privilege Vulnerability Exploit

Microsoft has posted a security vulnerability CVE-2023-23397, exploiting it allows attackers to gain elevated privileges...

Threats Icon

Mar 16, 2023

ImBetter Information Stealer Targets Cryptocurrency Users

Threat actors are targeting cryptocurrency users with the ImBetter information stealer malware. Adversaries are hosting...

Threats Icon

Mar 16, 2023

ImBetter Information Stealer Targets Cryptocurrency Users

Threat actors are targeting cryptocurrency users with the ImBetter information stealer malware. Adversaries are hosting...

Threats Icon

Mar 15, 2023

US Cert Alert – Threat Actors Exploit...

CISA and authoring organizations assess that, beginning as late as November 2022, threat actors successfully...

Threats Icon

Mar 15, 2023

Threat Actors Use ParallaxRAT For Targeting Cryptocurrency...

Threat actors are targeting organization in the cryptocurrency sector with spam and phishing campaigns that...

Threats Icon

Mar 13, 2023

Exposing The Lazarus Arsenal WinorDLL64 Backdoor

In 2021 the researchers discovered and dissected a tool from the Lazarus APTs arsenal named...

Threats Icon

Mar 12, 2023

Clasiopa New Group Targets Materials Research

A campaign targeting the materials research sector with custom and commodity utilities and malware is...

Threats Icon

Mar 09, 2023

New Emotet campaign

Emotet is a type of malware that is designed to steal sensitive information from infected...