Are you interested in downloading free, cracked software? If so, you should know what you’re getting into.
When you accidentally download malicious cracked software, attackers can take everything you have on your PC, and you’ll end up without your sensitive personal data and even without the software that you were trying to download in the first place. This is precisely how the newly emerged FakeCrack campaign is doing its business, enticing users into downloading fake cracked software. The bad actors behind the campaign have utilized a vast infrastructure to deliver malware and steal personal and other sensitive data, including crypto assets. Interested in knowing more? Let’s dive a bit deeper.
Delivery infrastructure
The infection chain starts on dubious sites that supposedly offer cracked versions of well-known and used software, such as games, office programs, or programs for downloading multimedia content. All these sites are placed in the highest positions in search engine results. The image below shows the first page results of a crack keyword search. The vast majority of the results on the first page (highlighted) lead to compromised crack sites and the user ends up downloading malware instead of the crack. This technique is known as the Black SEO mechanism exploiting search engine indexing techniques.
Figure 1: CCleaner Pro crack search results
Next, a link leads to an extensive infrastructure that delivers malware. What's interesting about this infrastructure is its scale. After clicking on the link, the user is redirected through a network of domains to the landing page. These domains have a similar pattern and are registered on Cloudflare using a few name servers. The first type of domain uses the pattern freefilesXX.xyz, where XX are digits. This domain usually only serves as a redirector. The redirect leads to another page using the cfd top-level domain. These cfd domains serve as a redirector as well as a landing page. Overall, Avast has protected roughly 10,000 users from being infected daily who are located primarily in Brazil, India, Indonesia, and France.
Figure 2: Protected users on the whole delivery infrastructure (1 day period)
The landing page has different visual forms. All of them offer a link to a legitimate file share platform, which contains a malware ZIP file. The file sharing services abused in this campaign include, for example, the Japanese file sharing filesend.jp or mediafire.com. An example of the landing page is shown below.
Figure 3: Landing page
Delivered malware
After accessing the provided link, the ZIP file is downloaded. This ZIP is encrypted with a simple password (usually 1234) which prevents the file from being analyzed by antivirus software. This ZIP usually contains a single executable file, typically named setup.exe or cracksetup.exe. We collected eight different executables that were distributed by this campaign.
These eight samples exhibit stealers' activities, focusing on scanning the user's PC and collecting private information from the browsers, such as passwords or credit card data. Data from electronic wallets are also being collected. The data has been exfiltrated in encrypted ZIP format to C2 servers. However, the ZIP file encryption key is hardcoded into the binary, so getting the content is not difficult. The encrypted ZIP contains all information mentioned previously, like the information about the system, installed software, screenshot and data collected from the browser including passwords or private data of crypto extensions.
Figure 4: Exfiltered data in ZIP
Figure 5: Zip password hardcoded in the binary
Persistence techniques
The delivered stealer malware using two persistence techniques. Both of these techniques were exclusively targeted at stealing crypto-related information, which we’ll now describe in more detail.
Clipboard changer technique
In addition to stealing sensitive personal information as described above, some of the samples also preserved persistence by dropping two additional files. The AutoIt compiler for the case is not present on the user’s computer and the AutoIt script. The script has been usually dropped to the AppData\Roaming\ServiceGet\ folder and scheduled to run automatically at a predefined time.
This script is quite large and very heavily obfuscated, but after a closer examination, it does only a few elementary operations. For one, it periodically checks the content of the clipboard. When it detects the presence of the crypto wallet address in the clipboard, it changes the value of the clipboard to the wallet address under the attacker’s control. The protection mechanism also deletes the script after three successful changes of the wallet address in the clipboard. The figure below shows the deobfuscated version of the part of the script.
The periodic_clipboard_checks function is being called in an infinite loop. Each call of the check_clipboard function checks the presence of the wallet address in the clipboard and changes its content to the attacker’s controlled address. The attacker is prepared for various crypto wallets, ranging from Terra, Nano, Ronin, or Bitcoincash. The numeric parameters in the check_clipboard function are not important and serve only for optimizations.
Figure 6: Dropped AutoIt script
In total, we identified 37 different wallets for various cryptocurrencies. Some of them were already empty, and some of them we could not identify. However, we checked these wallets on the blockchain and we estimate that the attacker earned at least $50,000. Moreover, if we omit the massive drop in the price of the Luna crypto in recent days, it was almost $60,000 in approximately a one month period.
Proxy stealing technique
The second interesting technique that we observed in connection with this campaign was the use of proxies to steal credentials and other sensitive data from some crypto marketplaces. Attackers were able to set up an IP address to download a malicious Proxy Auto-Configuration script (PAC). By setting this IP address in the system, every time the victim accesses any of the listed domains, the traffic is redirected to a proxy server under the attacker’s control.
This type of attack is quite unusual in the context of the crypto stealing activity; however, it is very easy to hide it from the user, and the attacker can observe the victim's traffic at given domains for quite a long time without being noticed. The figure below shows the content of the Proxy Autoconfiguration Script set up by an attacker. Traffic to Binance, Huobi, and OKX cryptomarkets is being redirected to the attacker’s controlled IP address.
Figure 7: Proxy autoconfig script
How to remove the proxy settings
This campaign is dangerous mainly due to its extension. As it was shown at the beginning, the attacker managed to get the compromised sites to high positions in search results. The number of protected users also shows that this campaign is quite widespread. If you suspect your computer has been compromised, check the proxy settings and remove malicious settings using the following procedure.
The proxy settings must be removed manually by using the following guidelines:
- Remove AutoConfigURL registry key in the HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
- Alternatively, using GUI:
- Click on the Start Menu.
- Type Settings and hit enter.
- Go to Network & Internet -> Proxy.
- Delete Script Address and click on the Save button.
- Disable the “Use a proxy server” option.
Thanks to Martin Hanzlik, a student intern who participated in tracking this campaign and significantly contributed to this blog post.
IoC
Delivery infrastructure
goes12by[.]cfd
|
baed92all[.]cfd
|
aeddkiu6745q[.]cfd
|
14redirect[.]cfd
|
lixn62ft[.]cfd
|
kohuy31ng[.]cfd
|
wae23iku[.]cfd
|
yhf78aq[.]cfd
|
xzctn14il[.]cfd
|
mihatrt34er[.]cfd
|
oliy67sd[.]cfd
|
er67ilky[.]cfd
|
bny734uy[.]cfd
|
uzas871iu[.]cfd
|
dert1mku[.]cfd
|
fr56cvfi[.]cfd
|
asud28cv[.]cfd
|
freefiles34[.]xyz
|
freefiles33[.]xyz
|
wrtgh56mh[.]cfd
|
Malware
SHA-256
|
bcb1c06505c8df8cf508e834be72a8b6adf67668fcf7076cd058b37cf7fc8aaf
|
c283a387af09f56ba55d92a796edcfa60678e853b384f755313bc6f5086be4ee
|
ac47ed991025f58745a3ca217b2091e0a54cf2a99ddb0c98988ec7e5de8eac6a
|
5423be642e040cfa202fc326027d878003128bff5dfdf4da6c23db00b5942055
|
c283a387af09f56ba55d92a796edcfa60678e853b384f755313bc6f5086be4ee
|
9254436f13cac035d797211f59754951b07297cf1f32121656b775124547dbe7
|
5423be642e040cfa202fc326027d878003128bff5dfdf4da6c23db00b5942055
|
9d66a6a6823aea1b923f0c200dfecb1ae70839d955e11a3f85184b8e0b16c6f8
|
Stealer C2 and exfiltration servers
IP Address
|
185[.]250.148.76
|
45[.]135.134.211
|
194[.]180.174.180
|
45[.]140.146.169
|
37[.]221.67.219
|
94[.]140.114.231
|
Clipboard changer script
SHA-256
|
97f1ae6502d0671f5ec9e28e41cba9e9beeffcc381aae299f45ec3fcc77cdd56
|
Malicious proxy server
SHA-256
|
e5286671048b1ef44a4665c091ad6a9d1f77d6982cf4550b3d2d3a9ef1e24bc7
|