Numerous ongoing malware distribution campaigns have been observed targeting internet users looking for pirated software. The attackers are using multiple pirated software to lure their potential victims.
Use of pirated software
The campaigns are using SEO poisoning and malvertising to promote malicious shareware sites high in Google Search results, advertising fake or pirated software, along with key generators and cracks.
Software used for baiting the victims include Adobe Acrobat Pro, Wondershare Dr. Fone, 3DMark, 3DVista Virtual Tour Pro, 7-Data Recovery Suite, and MAGIX Sound Force Pro.
In most cases, the .exe files pretend to be software installers hosted on file hosting services; clicking on those take a user to download malicious files.
The observed malware distribution pattern is not consistent, however, trusted sites such as Mediafire and Discord are used to host malware in numerous campaigns.
The redirection sites delivering malicious files have fewer fancy names and are hosted on xyz and cfd top-level domains.
The downloaded files are archives, including a 1.3MB ZIP with a password to avoid AV scans and a TXT file with a password.
The size of the unpacked ZIP was 600MB using byte padding as an anti-analysis practice followed by numerous malware authors.
The executable is a malware loader that obtains an encoded PowerShell command that executes a Windows cmd[.]exe after a 10 seconds timeout to evade the sandbox analysis.
Use of stealers
The above-mentioned cmd[.]exe process downloads a JPG file, which is a DLL file whose content is arranged in reverse.
The loader rearranges the contents in the correct order, obtains the final DLL, and the RedLine Stealer payload.
In some cases, attackers drop copies of the RecordBreaker stealer, packed with Themida tool for obfuscation.
The malicious campaigns have been successfully ongoing and already targeted numerous users online. To stay safe, avoid downloading pirated software, cracks, product activators, and serial key generators.