Top Software Pirated for Distributing Infostealers

Use of pirated software

• Software used for baiting the victims include Adobe Acrobat Pro, Wondershare Dr. Fone, 3DMark, 3DVista Virtual Tour Pro, 7-Data Recovery Suite, and MAGIX Sound Force Pro.
• In most cases, the .exe files pretend to be software installers hosted on file hosting services; clicking on those take a user to download malicious files.
• The observed malware distribution pattern is not consistent, however, trusted sites such as Mediafire and Discord are used to host malware in numerous campaigns.

Infection process

• The downloaded files are archives, including a 1.3MB ZIP with a password to avoid AV scans and a TXT file with a password.
• The size of the unpacked ZIP was 600MB using byte padding as an anti-analysis practice followed by numerous malware authors.
• The executable is a malware loader that obtains an encoded PowerShell command that executes a Windows cmd[.]exe after a 10 seconds timeout to evade the sandbox analysis.

Use of stealers

• The above-mentioned cmd[.]exe process downloads a JPG file, which is a DLL file whose content is arranged in reverse.
• The loader rearranges the contents in the correct order, obtains the final DLL, and the  RedLine Stealer payload.
• In some cases, attackers drop copies of the RecordBreaker stealer, packed with Themida tool for obfuscation.

Conclusion