An ongoing malicious campaign has been using a network of websites for dropper-as-a-service to drop a package of malware payloads on victims’ systems. It targets those looking for cracked versions of enterprise and consumer applications.

What has happened?

According to Sophos, the recent campaign was discovered while investigating an ongoing Raccoon Stealer campaign. The dropped malware mostly included click fraud bots, information stealers, and ransomware.
  • The attacks mostly use various bait pages hosted on WordPress. These pages have download links of software packages, which if clicked, direct the visitor to another website.
  • The website delivers unwanted browser plug-ins and malware such as Raccoon Stealer installers, Glupteba backdoor, Conti and Stop ransomware, and cryptocurrency miners portraying antivirus solutions.
  • These sites urge the visitors to allow notifications, which would show frequent false malware alerts. The visitor is then redirected to multiple websites.
  • The redirection to multiple websites continues until the visitor finally arrives at a destination site. This landing site is decided based on the visitor's browser type, operating system, and geographic location. 

Some services were observed charging just $2 for 1,000 malware installs via droppers. By using these services, wannabe cyber actors can customize their campaigns. 

How do they lure users? 

The attackers use SEO techniques to appear at the top of search results whenever a person searches for pirated versions of software apps.
Such activities are mostly observed at the underground marketplace as paid download services. 
  • Moreover, traffic exchanges (or the distribution infrastructure) are being used as well. Such services need a Bitcoin payment before partners can create accounts and start spreading installers with InstallBest sites that offer advice as well.
  • The offered advice includes a recommendation against the use of Cloudflare-based hosts for downloaders, along with using URLs within Discord's CDN, Bitbucket, or other platforms.
  • Moreover, a number of services (e.g. InstallUSD) do not offer their own malware delivery networks. Instead, they act as go-betweens to set up malvertising networks that pay the site publishers for traffic.

Conclusion

Dropper-as-a-Service can allow any novice attacker with money to customize their attack campaign. It looks like cybercriminals are getting smarter and now using warez websites as an infection vector. Therefore, security agencies are suggested to keep an eye on such budding criminal services and take appropriate defense measures.

Cyware Publisher

Publisher

Cyware