According to Sophos, these networks employ search engine optimization to push a “bait” webpage to the first page of search results for queries seeking “crack” versions of popular software products; and a variety of information stealers, including clickfraud bots and other malware were delivered through the sites.
These network of sites targets those seeking “cracked” versions of popular software packages with link that redirect the victims to the payload designed for their platform.
How Popular Pirated software are used as lure to serve up Malware droppers?
On clicking the bait pages, victims are directed to a download site that hosts a packaged archive containing malware, while others are steered to browser plugins or applications that fall in a potentially unwanted grey area.
The downloads contained a variety of potentially unwanted applications and malware, including Stop ransomware, the Glupteba backdoor, and a variety of malicious cryptocurrency miners in addition to Raccoon Stealer. Several of the malware campaigns that hosted the “cracked” software were powered in part by InstallUSD, an advertising network based in Pakistan which promises a payment of up to $5 US for every software install delivered.
The researchers also found a number of other such services that, instead of offering their own malware delivery networks, act as "go-betweens" to established malvertising networks that pay website publishers for traffic.
Many of these services advertise on the same boards where criminal affiliates can set up accounts quickly, but most require a deposit paid in Bitcoin before they can begin distributing installers.
All of these delivery methods dropped packages with same basic characteristics; the download was a .zip archive file named after the alleged “cracked” product sought by the target and inside, the archives contained an additional .zip archive and a file with “password” in its name.
As the malicious payloads are in password-protected archives–and in formats that cannot be opened natively by Windows Explorer, they cannot be scanned by endpoint security tools during download.
Dropper packages and the malware delivery platforms have been around for a long time, and they continue to thrive because of the same sort of market dynamics as those that make stealers as a service so profitable.