Threat actors distributing infostealers are gaining momentum by targeting victims seeking to illegally download pirated software. Because obtaining and using pirated software is against the law, many individuals partaking in this type of behavior suspend proper scrutiny for the source of their download. As a result, whether they are good or bad people, victims across the world are paying the price with their private information for a single bad decision.
Discover the techniques being used to distribute these threats and unravel the infection chain from two different examples to understand how these malware developers operate and use the latest techniques to avoid detection.
It has been over 20 years since the launch of Napster taught the internet how to get and share digital content online, and nearly a decade since the resilient Pirate Bay torrent site began enabling visitors to find and download stolen media and unlocked or ‘cracked’ versions of software. All these years later, in spite of many lawsuits and injunctions it is still extremely common for people to download pirated software from shady shareware sites instead of buying licenses for noncommercial purposes. Today, we typically see sites hosting cracked softwares like Microsoft Office and Windows installers appearing in indexed Google search results and ad banners.
Recently, the Zscaler ThreatLabz researchers discovered multiple ongoing threat campaigns distributing info-stealer malware by targeting victims trying to download pirated software applications. The screenshot in Fig. 1 shows Google search results featuring these fake sites that look just like the real pirate hosting sites. Part of what makes this type of threat so successful is that it targets individuals participating in an illegal yet common activity, as such many of the users can’t identify the intent behind one makeshift pop-up site peddling illegal software downloads vs. another one hosting malware downloads. The sections that follow provide a detailed technical analysis of two different active infostealer infection chains that fall into this category.
Fig 1. Fake shareware sites indexed on Google search
When users visit fake shareware sites and click to download, they immediately experience multiple redirects that obfuscate the process for detection by search engines, scanners, and victims, and finally deliver them to a malicious site hosting the threat actor’s intended content - an infostealer malware like the one featured in Fig 2 below. While this process may raise eyebrows on a verified site, visitors on these back channel sites may assume that this sleight-of-hand is a normal part of how shareware sites operate.
Fig 2. Infection vector
After arriving at the final destination and finishing the download, the final payload received in this sample is a zip archive file <10 MB in size. In this case, the malware-hosting URL is an open directory containing more than 3000 malicious zip archive files masquerading as common types of cracked software, as shown in the Fig 3 snippet below.
Fig 3. Web directory containing thousands of malware laced zip files
The malware distribution pattern our researchers observed is not consistent, but we did discover that trusted sites like Mediafire as shown in Fig. 4 below, and Discord are also being used to host malware in several different campaigns.
Fig 4. Redirected landing phishing page
The downloaded file is a compressed archive file that contains a password-protected zip archive and a text file disguised to contain stored passwords.
Fig 5. Password and Archive file
The password-protected zip file further contains a zip file named setup.zip of size 1.3 MB. Extracting the zip archive reveals a 0x20 and 0x00 byte padded executable file just over600 MB in size as shown in Fig. 5 below.
Fig 5. File padded with irrelevant bytes
ThreatLabz researchers found that the padded bytes were irrelevant to running the sample file and determined that threat actor included them to evade detection by security engines. The file also contains Anti-VM and Anti-Debug checks. Following this the dumping process removes irrelevant bytes dropping the file size in this sample down from 600MB to 78 KB, as shown in Fig 6 below.
Fig 6: Actual file size after dumping the process
Once the file is executed it spawns an encoded PowerShell command that launches a cmd.exe process with a timeout of 10 secs. This timeout period is added for evading automated sandbox analysis tools. The decoded PowerShell command looks like this:
Once the timeout period is over the loader connects to the remote server requesting a jpg file named ‘windows.decoder.manager.form.fallout15_Uwifqzjw.jpg’, as shown in Fig. 7 below.
Fig 7: Loader downloading requested jpg file from the remote server
The downloaded jpg file looks like it is encrypted but opening it with an editor reveals that the contents are simply stored in reverse order and once the content is reversed by the malicious program, it transforms into a DLL file.
The DLL payload contains a RedLine Stealer malware that targets your stored browser history, it is obfuscated with a crypter and compiled into memory by the loader. The loader loads the DLL and replaces it with the current thread context.
This RedLine Stealer sample is designed to steal stored browser passwords, auto-complete data including credit card information, and cryptocurrency files and wallets. The implications for an unsuspecting victim trying to save money on a program they may barely intend to use can be severe resulting in financial losses, identity theft, and other forms of fraud and extortion.
ThreatLabz researchers also observed fake shareware sites distributing instances of the RecordBreaker Stealer malware delivered without the use of any legitimate file hosting services by instead using malware packer tools like Themida, VMprotect, and MPRESS, as found in the sample packed with Themida shown in Fig. 8 below.
Fig 8: Files packed with Themida/VMprotect
Malware authors typically use packers and protectors for compression and to wrap the software in an extra layer of disguised code to evade detection. Packers are also growing in popularity for the anti-VM and anti-debugging techniques they offer which allow the malware to effectively navigate the system, avoid detection, and run more smoothly, as shown in the screenshots featured in Fig. 9-10 below.
Fig 9: API calls used for anti-debugging techniques using FindWindow API
Fig 10: Message box displayed to close security tools
After execution, the malware in this sample communicates with the C2 server and sends back the machine ID and config ID before downloading its required libraries from the remote server.
Fig 11: Communication with C2 server
The examined instance of RecordBreaker is designed to steal browser information from extensions, including: MetaMask, TronLink, BinanceChain, Ronin, MetaMask, MetaX, XDEFI, WavesKeeper, Solflare, Rabby, CyanoWallet, Coinbase, AuroWallet, KHC, TezBox, Coin98, Temple, ICONex, Sollet, CloverWallet, PolymeshWallet, NeoLine, Keplr, TerraStation, Liquality, SaturnWallet, GuildWallet, Phantom, TronLink, Brave, MetaMask, Ronin, MEW_CX, TON, Goby and TON using extension IDs provided from the C2 server, like the examples shown below.
After running, the gathered system information and installed application information is sent back to the C2 server.
Fig 12: Stealing system and installed software information
This malware can also send screenshots back to the C2 server, as shown below in the post-transaction relaying desktop screenshot.
Fig 13: Screenshot sent back to C2 server
RecordBreaker leaves nothing untapped, also collecting cookies from across the victims different browsers and sending them back to the C2 server, as shown in Fig 14 below
Fig 15: Stealing browser cookies
Sample downloaded files
This campaign highlights how attackers take advantage of users’ behavior through the distribution of pirated software to spread infostealer malware and extort victims for financial profits and other gains. The campaigns analyzed in this article depend on users visiting and downloading software from unscrupulous websites as the initial infection vector, users can easily prevent these unfortunate infections by avoiding this illegal practice and only visiting legitimate sites and downloading software from trustworthy sources.
Zscaler Cloud Sandbox Detection:
These are the malicious indicators involved in this campaign, MD5s are not listed because the password-protected zip files involved generate a new MD5 with each download transaction.
Fake shareware download sites:
Redirected Malicious NRD domains: